Rootkit Removal Tools

Rootkits are a growing problem, and as you might expect, the list of tools that can help you prevent rootkit infiltration is also growing. The list of standalone tools that can help with rootkit detection and removal is also expanding. This week, I give you a list of the standalone detection and removal tools that I know about.

The alphabetical list below can be a resource to help you add some useful tools to your security toolkit. As with antivirus and antispyware tools, using multiple rootkit detection and removal tools is a good idea because not every tool can detect and remove every rootkit.

Of the tools listed, I've used RootkitRevealer, F-Secure BlackLight, Sophos Anti-Rootkit, and IceSword, all of which are from entities that I'm familiar with and trust to some extent or other.

A few of the tools on the list (GMER, DarkSpy, and Rootkit Unhooker) look interesting, but I have no idea who the authors are, nor do their Web sites offer much information to lend insight. So although I included them in the list, definitely use your own discretion.

There are undoubtedly other related tools available that I'm not aware of; if you know of one, please send me an email with details. If you've tried one of the tools below, let me know about your experiences with it.

BitDefender RootkitUncover beta, from SoftWin

This tool is currently available as a free beta and looks promising, particularly because it's from SoftWin, makers of BitDefender.

http://download.bitdefender.com/windows/desktop/internet_security/beta/

DarkSpy, from DarkSpy Security Group

This tool is from a group of Chinese security researchers that I'm unfamiliar with. The download page for the tool says, "Use at your own risk," and you'd be wise to take that advice; however, it might give you a little comfort to know that this tool was recently mentioned in the SANS Internet Storm Center's Handler's Diary. Click the second URL under the Helios entry below to link to that mention.

http://www.fyyre.net/~cardmagic/index_en.html

F-Secure BlackLight

This is a standalone "trialware" tool, meaning that it periodically expires after a certain date--currently October 1. It's also a standard component of F-Secure's Internet Security 2006 package.

http://www.f-secure.com/blacklight/blacklight.html

GMER, from an unknown independent Polish developer

Although no information is readily available about who developed this tool, its Web site has several screenshots and some movies (in .wmv and .avi format) that show the tool in action. So you can get a good idea of what it's like before using it.

http://www.gmer.net

Helios, from MIEL e-Security

This is a new tool, currently in "alpha" development, that looks promising. For some good insight into Helios, go to the second URL below to read the SANS Handler's Diary entry for July 26, in which you can also see some screen shots of the tool in action. http://helios.miel-labs.com

http://isc.sans.org/diary.php?storyid=1487

IceSword, by Xfocus Team

IceSword has proven useful to many security administrators. Xfocus is a group of Chinese security researchers, and while the site is written in Chinese, you can use AltaVista's Babel Fish Translation engine (at the second URL below) to view it in English. You can also use Babel Fish to translate the Chinese documentation. http://www.xfocus.net/tools/200509

http://babelfish.altavista.com/babelfish/tr?trurl=http://www.xfocus.net/tools/200509/&lp=zt_en

RKDetector, by Miguel Tarasco Acuna

This toolkit comes in two parts: A file system analyzer and an Import Address Table (IAT) analyzer. The file system analyzer scans the file system and registry, and the IAT analyzer scans memory space for alterations that would allow rootkits to hook into the system. Screen shots are available to give you a good idea of what the tool looks like. http://www.rkdetector.com

RootKit Hook Analyzer, from Resplendence Software Projects

Although most rootkit detection tools look at kernel hooks, the file system, the registry, user accounts, and so on, this particular tool focuses exclusively on kernel hooks. http://www.resplendence.com/hookanalyzer

RootkitRevealer, from Sysinternals

A tool written by Mark Russinovich and Bryce Cogswell, two very well known Windows experts. http://www.sysinternals.com/Utilities/RootkitRevealer.html

Rootkit Unhooker, from UG North

Although I have no idea who UG North is, the tool looks promising. It checks for unwanted processes and system hooks and can help terminate such processes.

http://www.rkunhooker.narod.ru

Sophos Anti-Rootkit

This standalone tool offers both a GUI and a command line version and is similar to the antirootkit technology built into the Sophos Anti-Virus for Windows solution.

http://sophos.com/products/free-tools/sophos-anti-rootkit.html

System Virginity Verifier, FLISTER, and KLISTER, by Joanna Rutkowska

These tools specifically look for hidden files and at various system components that might be modified by various rootkit techniques. Source code is included. Rutkowska is a well-known researcher. http://www.invisiblethings.org/tools.html

UnHackMe, from Greatis Software

While all the other listed tools are free, this tool is priced starting at $19.95 for a single license. You can view screen shots of the tool to see what it looks like and download a working demo if you're interested.

http://greatis.com/unhackme