Detecting rootkits

Subversive Technologies & Countermeasures

Development Jason Todd Informative article Perpetual development, in need of user contributions No disputes Legend

Contents 1 Detection 2 Guarding points of entry 2.1 External sources 2.2 Internal sources 3 Protecting memory 4 Protecting storge 5 Software tools integration 6 Appendix

[edit] Detection

[edit] Guarding points of entry

[edit] External sources

• Network
• Flash drives, Floppies

[edit] Internal sources

• DLL injection
• Win32 registry keys
• Hooking

[edit] Protecting memory

A rootkit is going to have to exist in memory at some point in able to produce the desired result.

• System memory
• Peripheral memory

[edit] Protecting storge

• EEPROM
  • firmware
  • bios
• flash memory
• hard drives, bad sectors

[edit] Software tools integration

Most software packages for the windows platform now offer software suites that contain firewall, ids, virus scanner, malware detection, rookit detection, and a host of other utilties.

[edit] Appendix

Windows:

• Strider GhostBuster
• Rootkit revealer
• System Virginity Verifier
• flister
• BlackLight
• ProcessGuard
• Vice

*nix:

• Rootkit hunter
• chkrootkit
• rkdet