Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Rootkit Detection



Security software vendors are adding new capabilities to prevent the installation of rootkits. Existing standalone rootkit detection products that rely on cross-view differential detection also are being incorporated into security suites, promising to bolster signature and heuristic analysis and provide in-depth diagnosis of potentially compromised computers.

Conventional antivirus players, including McAfee and Symantec, are enhancing rootkit detection. F-Secure offers a standalone rootkit detection product, BlackLight, and will bundle it into its enterprise security suite late this year. HIPS vendors, such as CA, Cisco Systems, eEye, ISS and Sana Security, as well as antispyware vendors, such as Aluria, Tenebril and WebRoot, also offer detection and prevention mechanisms.

Full-blown rootkits make up a tiny percentage of malware, but spyware and Trojans use rootkit techniques to thwart detection and removal, which means enterprises need a comprehensive solution that emphasizes prevention. Suites from major vendors may be good enough for general user populations, but IT should consider an antivirus-HIPS combination for high-value computers. IT also should add standalone rootkit detection software to its diagnostic toolbox.

New products are emerging to make it easier for security professionals to unearth rootkits on compromised machines, but identifying those machines and removing the malignant software remains frustratingly difficult. Attackers still have the upper hand if a machine gets compromised. Malicious software incorporates full rootkits or rootkit-like capabilities to entrench itself on compromised PCs and evade detection. The use of stealth techniques by malware has increased 600 percent since 2004, according to McAfee, and the use of custom rootkits, which are difficult if not impossible to detect with signatures, is also on the rise.

The security community has responded to these developments with standalone rootkit-detection tools that attempt to find rootkits by examining low-level data, such as the raw file system. Some vendors also are adding enhanced rootkit-detection capabilities to their security software suites. Anti-rootkit tools generally do one of two things: detect and block rootkits before they compromise a PC, or attempt to find and remove them after they've burrowed into the OS.

Toward the goal of prevention, security vendors recommend a cocktail of techniques that includes signatures, heuristics, behavioral analysis and generic exploit blocking. If a machine has been compromised, the most common approach is to use a standalone rootkit-detection tool to probe the infected host.

  • 1