There are many different types of computer malware and the ones that use rootkit technologies are the worst because they are hardest to detect and remove. Rootkit technology is able to hide its presence from the most basic tools built into Windows such as Task Manager, to your most trusted firewall or antivirus software and you won’t even know that it’s there. This is achieved through installing and loading kernel-mode drivers which can allow the malware to run with higher privileges.
Although 64-bit Windows operating systems are generally safe from rootkit infection because by default the operating system only accepts signed driver files, there were previous cases where legitimate digital certificates were stolen by hackers and used to sign rootkit drivers to bypass security software and Windows defenses. Antivirus software was not much of a help either because the Stuxnet worm successfully stayed infected on the computers for years before it was discovered by VirusBlokAda, the developer of VBA32 antivirus software.
Since antivirus software are far from being perfect in catching rootkits, we’ve put 15 dedicated anti-rootkit tools to the test and see if they are able to detect the 3 different keyloggers (All In One Keylogger, Invisible KeyLogger Stealth, Elite Keylogger) that uses rootkit technology which we have installed on our test system.
1. avast! ANTIROOTKIT
This free and portable anti rootkit tool by avast! is outdated and no longer being maintained since 2008 because it has been integrated into their antivirus program but can still be downloaded directly from their server. Using rootkit detection technology based on GMER, avast! ANTIROOTKIT only managed to detect All In One Keylogger while missing the other two driver-based rootkit keyloggers. Clicking the “Fix Now!” button successfully deleted the files after a restart.
2. AVG Anti-Rootkit
This free anti-rootkit tool by AVG suffers the same fate as avast! because it has been abandoned since 2006 due to the integration of this anti-rootkit into their antivirus software. The program requires installation, a reboot and either manually run as admin or disable UAC to run. The result of AVG Anti-Rootkit is also the same as avast! where only All In One Keylogger is detected while missing Elite Keylogger and Invisible KeyLogger Stealth. The “Remove selected items” button does not delete the infected files but replaces the last character of the file’s extension with an underscore, for example from .exe to .ex_
3. Bitdefender Removal Tool / Rootkit Remover
We weren’t able to determine the if Bitdefender’s antirootkit tool is called “Removal Tool” or “Rootkit Remover” because the program’s name and website says differently when they are the exact same application. Bitdefender Removal Tool is free, portable and up-to-date (last update on February 2013) but can only detect known rootkits through signatures and not the undetected ones. The scan takes merely a second to tell you if there are any rootkit threats detected. Both 32-bit and 64-bit versions available. Bitdefender Rootkit Remover fail to detect all 3 rootkit keyloggers.
HitmanPro is a popular second opinion malware scanner that first uses behavioral analysis to determine if a file is a possible threat and then automatically uploads the file to have it scanned in the cloud with 5 different antiviruses for confirmation. Although HitmanPro is shareware, you can use it to scan your computer for free while removal is only available during the 30-days trial. All In One Keylogger was detected because Ikarus and G Data indicated that the file is malicious. HitmanPro found Elite Keylogger files to be suspicious but wasn’t flagged as a threat because none of the antiviruses detected it as malicious after the cloud scan. Invisible KeyLogger Stealth wasn’t detected at all.
5. Kaspersky TDSSKiller
Kaspersky TDSSKiller started off as a removal tool to detect and clean up the Alureon/TDSS/TDL rootkit and has grown to recognize a few other rootkits including bootkits. Upon testing, Kaspersky TDSSKiller missed all 3 rootkit keyloggers and even wrongly detected 3 legitimate system (.SYS) files belonging to COMODO Time Machine as suspicious objects with medium risk.
6. Malwarebytes Anti-Rootkit
Malwarebytes Anti-Rootkit is the new kid on the block for detecting and removing rootkits that is still in BETA status. It received a lot of reviews and publicity when it was released to public because everyone had very high hopes for products by Malwarebytes.
It is unclear what variants of rootkits can be detected by Malwarebytes Anti-Rootkit because it is not mentioned in their official website, but it failed to detect any of the 3 rootkit keyloggers during testing. A very useful tool called “FixDamage” that comes together in the ZIP archive file can be used to repair damages made by rootkit by restoring important Windows services.
7. McAfee Rootkit Remover
McAfee Rootkit Remover is a very simple and small (532KB) utility to detect and remove ZeroAccess and TDSS family of rootkits. The program runs on command line window, automatically checks for updates and takes only a few seconds to scan for rootkit infections. As expected, McAfee Rootkit Remover didn’t detect all 3 rootkit keyloggers as threat because it can only recognize 2 types of rootkits that was mentioned earlier.
8. Norton Power Eraser
We don’t normally see Symantec offering any of their tools for free. Even their rescue disk known as Norton Bootable Recovery Tool requires a valid product key to run. Thankfully there is one tool called Norton Power Eraser which is free to use for detecting and removing malware that is hidden deep inside the system.
It is a single portable executable file of only around 3MB in size. The Rootkit scan option is enabled by default in Settings and will first require a restart before performing a rootkit scan. Norton Power Eraser detected All In One Keylogger and Invisible KeyLogger Stealth. As for Elite Keylogger, one of the DLL files are flagged as unknown. Other than that, it also had 3 false positives by detecting COMODO Time Machine driver files as unsafe.
9. Trend Micro RootkitBuster
RootkitBuster is a free tool by Trend Micro that is able to check multiple locations in Windows such as the Master Boot Record (MBR), files, registry entries, kernel code patches, operating system service hooks, file streams, drivers, ports, processes and services to identify rootkit presence. It was last updated a month ago and has dedicated builds for both 32-bit and 64-bit.
RootkitBuster only managed to detect All In One Keylogger while missing the other 2. It also has the same false detection as Kaspersky TDSSKiller and Norton Power Eraser by wrongly identifying 3 system driver files as threats.
UnHackMe is the only shareware rootkit killer with monitoring capabilities to auto check your computer for any possible rootkit infection. The trial version of UnHackMe allows you to use it for 30 days without limitation. The program’s user interface looks simple enough for beginners to use and you can even send the generated regrunlog.txt report file to their support center to obtain advice if you’re not fully sure the detected unknown/suspicious file is indeed malicious.
There are a few buttons such as stopping a service, deleting a registry key and disabling autorun to help disable the suspicious file but we found that most effective one is the “Delete File at Next Reboot” if the malware is very persistent. UnHackMe found All In One Keylogger and Invisible KeyLogger Stealth but missed Elite Keylogger.
As you can see from the results above, very few automated rootkit detection tools manage to detect all 3 rootkits. Norton Power Eraser did the best by confirming 2 infections with 1 unknown status. There is another category of antirootkit utilities designed for more advanced users to manually analyze, decide and remove rootkits which can be found on the next page.