SysInternals releases rootkit detection tool

The team at SysInternals has just released RootkitRevealer, which does essentially what Microsoft's still-internal Ghostbuster tool does; namely, it runs a couple of scans of the hard drive from different levels (user mode and kernel mode, essentially). Any discrepancy could potentially be the result of a rootkit attempting to hide its tracks.

In an earlier post, I talked about the applicability of tools like Ghostbuster vs. things like Tripwire. Seems like the guys at SysInternals are in agreement, noting that RootkitRevealer could still be tricked by really sophisticated kernel-mode rootkits, and that off-line (CD bootable, etc.) scanners would be more sound, but still potentially susceptible to false negatives.

Regardless, big kudos to them for getting the tool out there and not making us all wait for Ghostbuster. Plus, now we don't have to put up with a bunch of "he slimed me" jokes.

Get In Touch