Thursday, November 29, 2007

Malware and rootkit detection with Strider, RootKitRevealer and Rootkit Hunter

Removing nasty rootkits or spyware protected by "Hacker defender" and friends:

Strider GhostBuster detects API-hiding rootkits by doing a "cross-view diff" between "the truth" and "the lie". It's not based on a known-bad signature, and it does not rely on a known-good state. It targets the fundamental weakness of hiding rootkits, and turns the hiding behavior into its own detection mechanism.

It is similar to Mark Russinovich's RootkitRevealer from Sysinternals. Another interesting tool is Sophos Anti-Rootkit.

Also worth taking a look at LiveKd - run Kd and WinDBG kernel debuggers on a live system.

For a Linux/BSD/UNIX tool, take a look at Rootkit Hunter.