Trend Micro has quietly released a rootkit scanning/cleaning utility, belatedly joining the list of anti-vendors pushing out free standalone tools to nab the stealthy computer threats.
Trend Micro's new RootkitBuster offers the ability to scan for hidden files, registry entries, processes, drivers and hooked system service. It also includes a cleaning capability for hidden files and registry entries.
The anti-virus company never announced the release of the tool, but a quick scan of the usual rootkit discussion forums provides hints that it has been available for a few months.
I haven't had a chance to pit RootkitBuster against the many rootkits available for download at rootkit.com but, affording to this reviewer, it holds up fairly well to scrutiny:
Simple as it is, RootkitBuster actually doesn't do a bad job. The program runs as-is (no installation needed) and scans five areas: file system, Registry, running processes, drivers, and any operating system-level service hooks. The results are automatically exported to a log file, and if anything's detected you can opt to have it deleted (with a forced reboot afterward to insure deletion).
The release of standalone rootkit-cleanup tools from anti-virus vendor is a direct result of Mark Russinovich's expose of Sony's use of rootkit functionalities in its controversial DRM scheme.
At the time, anti-virus vendors were largely clueless about the extent of rootkit infections. In the minds of many, the Sony rootkit episode was an indictment of the incompetence of a computer security sector that stood idly by while dangerous rootkits were being hidden on millions of machines.
Since then, with an exception or two, there has been a mad scramble to add rootkit detection to existing products and roll out free standalone tools but, as recent survey (PDF) by Roger Thompson shows, most are not very good.
As the security vendors struggle to keep pace, researchers are plowing ahead with advanced forms of offensive rootkits. The new Unreal.A is a perfect example. The demo rootkit uses a series of tricks to bypass all modern anti-rootkit tools, including the highly rated RootkitRevealer from Microsoft's Sysinternals unit, and illustrates clearly just how much catching up is left to do.