RootKit Revealer

Quad Master · Nov 4, 2005

RootKit Revealer

Hi Guys

Read about this software in Tracer's Post , felt that looks like an intresting
software so did a bit of googling and posting info here.

RootkitRevealer is an advanced patent-pending root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender (note: RootkitRevealer is not intended to detect rootkits like Fu that don't attempt to hide their files or registry keys). If you use it to identify the presence of a rootkit please let us know!

The reason that there is no longer a command-line version is that malware authors have started targetting RootkitRevealer's scan by using its executable name. We've therefore updated RootkitRevealer to execute its scan from a randomly named copy of itself that runs as a Windows service. This type of execution is not conducive to a command-line interface. Note that you can use command-line options to execute an automatic scan with results logged to a file, which is the equivalent of the command-line version's behavior.

Some more of ur questions will be answered here
Main Link:- http://www.sysinternals.com/Utilities/RootkitRevealer.html

1.> What is a Rootkit?
2.> Types of Rootkit
Persistent Rootkits , Memory-Based Rootkits , User-mode Rootkits , Kernel-mode Rootkits
3.> How RootkitRevealer Works
4.> Can a Rootkit hide from RootkitRevealer?
5.> Is there a sure-fire way to know of a rootkit's presence?

And more.......

Some More Intresting Articles
1.> Rootkit battle: Rootkit Revealer vs. Hacker Defender

2.> How Not 2 Run Rootkit Revealer - Forum Discussion

3.> Sony, Rootkits and Digital Rights Management Gone Too Far
Link:- http://www.sysinternals.com/blog/2005/10/sony-rootkits-and-digital-rights.html

4.> Unearthing Rootkits
Link:- http://www.windowsitpro.com/Windows/Article/ArticleID/46266/46266.html

5.> This site contains sample code for a number of user-mode and kernel-mode rootkits as well as ongoing discussions on how to develop rootkits.
Link:- http://www.rootkit.com/

6.> Microsoft Research rootkit home page where Microsoft publishes papers and information on its efforts to combat rootkits.
Link:- http://research.microsoft.com/rootkit/

Download Here

Old Versions

zhopudey · Nov 4, 2005

Cool...Now can someone explain in plain english?
Who's the bad guy? Rootkit or RootkitRevealer?

Ein · Nov 4, 2005

thanx... was abt to do sm googlin myself, when i spotted this thread !!

@zho -

The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities.

Clearly, the bad guy

which makes da revealer Shahrukh Khan

zhopudey · Nov 4, 2005

And Sony's drm uses these rootkits? So it is like spyware?

KingKrool · Nov 5, 2005

Yup. That is why people are in such a tizzy. Sony installed such stuff onto people's comps without asking..

Ein · Nov 5, 2005

Good entry over @ wikipedia.

Here's the bit about the etymology of da word:

The term "rootkit" (also written as "root kit") originally referred to a set of recompiled Unix tools such as "ps", "netstat", "w" and "passwd" that would carefully hide any trace of the cracker that those commands would normally display, thus allowing the crackers to maintain "root" on the system without the system administrator even seeing them.

Generally now the term is not restricted to Unix based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).

smsrohit · Nov 11, 2005

Scanning my pc with root kit scanner, i found that there are 9 rootkit installed , but i got no idea, which software installed it, or is it work of some virus, or part of windows itself, whereas norton antivirus scan is clean.

KingKrool · Nov 11, 2005

smsrohit, you may just be confused. The s/w does not detect rootkits like an antivirus detects viruses - rather, it shows u the symptoms. These cud be there for other reasons (like a file being updated while you run the program). Read the instructions on the site and then see.

And no AV can reveal these (F-Secure does have an extra tool tho).

In general, if you have a rootkit there is only one way out - format. Only experts can safely reomve a rootkit.