Techniques used to hide rootkits include; concealing running processes from monitoring programs, and hiding files, or system data, from the operating system. In other words, the rootkit files and processes will be hidden in Explorer, Task Manager, and other detection tools.
It’s easy to see then, that if a threat uses rootkit technology to hide, it is going to be very difficult to find.
Enter the Rootkit detector which will provide you with the tools to find and delete rootkits, and to uncover the threats Rootkits may be hiding.
We’ve written here a number of times on Rootkits and free tools designed to uncover and remove these scourges, and thanks to regular reader Robert, we can share with you a new free tool, Tizer Rootkit Razor, which will allow you to identify and remove Rootkits from your computer.
I should be clear however, this tool is not “one-click simple” to decipher, and users need to be particularly mindful of false positives.
Since the false positive issue, is always a major consideration in using tools of this type, you should be aware that tools like this, are designed for advanced users, and above.
Here’s a reasonable test to determine if you have the skills necessary to use this application effectively. If you’re not capable of using, and interpreting, an application such as HiJackThis for example, it is unlikely that using this program would prove to be beneficial. On the other hand, if you can interpret the results of a HiJackThis scan, you’re probably “good to go”.
The user interface is dead simply – functional and efficient, as the following screens from my test system indicate. BTW, no Rootkits were found during this test.
Main Screen: This page displays information related to your operating system and memory usage.
a.) Smart Scan: This feature automatically scans all the critical areas in the system and displays hidden objects, hence making things easier for the user.
NOTE: User is provided with a feature to fix the hidden object (if any).
Process Scan: This module scans processes currently running on the machine. A process entry will be highlighted in red if it is a hidden rootkit. The user can click on an individual process to display any hidden modules loaded by the process.
NOTE: The user is provided with the option to terminate processes and delete modules.
Registry Scan: This module scan is for hidden registry objects.
a.) Smart Scan: A smart scan will scan the critical areas of the registry.
b.) Custom View: This module provides a virtual registry editor view, hence enables the user to navigate through the registry and check for hidden keys or values. (Hidden keys/values will be highlighted)
Kernel Module Scan: This module scans for loaded drivers in the memory. A module entry will be highlighted in red if it is hidden.
NOTE: The user is provided with a feature to unload and delete a driver module from memory.
Services Scan: This module scans all installed services on the local machine. A particular service entry will be highlighted if it is hidden.
NOTE: The user is provided with start, stop, pause, and resume features. They may also change the startup type of service.
SPI Scan: This module lists all the LSPs installed in the system. This is read only information.
NOTE: The user can check for any unauthorized LSP installed.
SSDT Scan: This module scans for any altered value in the System Service Descriptor Table (SSDT). The process of alteration is termed as “Hooking.”
NOTE: The user can restore the altered value to its original value.
Ports Scan: This module will scan all open TCP and UDP ports. A particular port entry will be highlighted if it is hidden.
NOTE: The user is provided with the option to terminate the connection.
Thread Scan: This module will enumerate all running processes. The user can click on a particular process to view and scan all threads running in context of that process. Any hidden threads will be highlighted in red.
NOTE: The user is provided with the option to terminate a thread.
File/Object Scan: This module will scan for any hidden files in the system. The user selects a location on the computer to scan.
Much like anti-spyware programs, no one Rootkit detector application catches everything, and to highlight the differences in Rootkit detection applications, the publisher of Tizer Rootkit Razor has provided the following comparison chart.
If you think you might have hidden malware on your system, I recommend that you run Tizer Rootkit Razor. Scanning for Rootkits occasionally is good practice in any event, and if you have the necessary skills, Tizer Rootkit Razor appears to be a good choice to help you do that.
System requirements: Windows XP, Vista, Win 7 – (there is no indication on the developer’s site that this app is x64 compatible).
Download at: Tizer Secure
If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.