A rootkit is a particularly stealthy and nasty form of malware designed to take over complete control of a system (root level access in UNIX terms means “access to everything, no holds barred”). Rootkits seek to hide from detection via standard operating system based security mechanisms, and require special tools for detection and cleanup.
For more information on rootkits, and how they work, see the following:
1. Wikipedia Rootkit entry
2. WhatIs.com definition
3. PC Magazine definition
The ultimate resource on this subject is Greg Hoglund and Jamie Butler”s excellent book “Rootkits: Subverting the Windows Kernel” (Addison-Wesley, 2005, ISBN-13: 978-0321294319).
There are several good, free rootkit detectors, including a very good one from Mark Russinovich of Microsoft/SysInternals called RootkitRevealer (it runs from the command line, though, and isn”t terribly user friendly, though it is both thorough and reliable). Instead, I recommend the Blacklight rootkit detector from F-Secure because it”s very easy to use, and thus workable for everyone (RootkitRevealer is more of a hardcore bithead or IT professional”s tool). You can download Blacklight from ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe.
Using this tool is absurdly easy: just run the executable from Windows Explorer or the command line. After you agree to the licensing terms, you”ll see a small window pop up on your desktop that looks like this:
Once you get past the license terms verbiage, just click the Scan button to fire off the rootkit scanner.
Click the Scan button, and the tools goes off to check various files and folders on your machine where rootkits might potentially reside. It reports on files it”s examining along the way:
While it”s busy scanning, Blacklight reports full directory specs for the files it”s inspecting.
The overall process completes reasonably quickly (it took about three minutes on my production desktop). At that point it reports anything it finds. You should hope for a final status that looks like this:
If you”re lucky, Blacklight reports “No hidden items found.”
If Blacklight does find something, it will assist with clean-up when and as it can. But a rootkit infection is a non-trivial situation, and will sometimes require PC owners to scrub their drives and then to install an uninfected backup, or to rebuild their machines from scratch. That”s why I hope this never happens to anybody who reads this blog!
If your security suite or collection of security software does not include a rootkit detector, run this tool on your machine at least once a week. OTOH, you could replace your current security software with a collection that does include a rootkit detector. Most big-name security suites already offer this coverage, as they most definitely should.