There are many different types of computer malware and the ones that use rootkit technologies are the worst because they are hardest to detect and remove. Rootkit technology is able to hide its presence from the most basic tools built into Windows such as Task Manager, to your most trusted firewall or antivirus software and you won’t even know that it’s there. This is achieved through installing and loading kernel-mode drivers which can allow the malware to run with higher privileges.
Although 64-bit Windows operating systems are generally safe from rootkit infection because by default the operating system only accepts signed driver files, there were previous cases where legitimate digital certificates were stolen by hackers and used to sign rootkit drivers to bypass security software and Windows defenses. Antivirus software was not much of a help either because the Stuxnet worm successfully stayed infected on the computers for years before it was discovered by VirusBlokAda, the developer of VBA32 antivirus software.
Since antivirus software are far from being perfect in catching rootkits, we’ve put 15 dedicated anti-rootkit tools to the test and see if they are able to detect the 3 different keyloggers (All In One Keylogger, Invisible KeyLogger Stealth, Elite Keylogger) that uses rootkit technology which we have installed on our test system. 1. avast! ANTIROOTKIT
This free and portable anti rootkit tool by avast! is outdated and no longer being maintained since 2008 because it has been integrated into their antivirus program but can still be downloaded directly from their server. Using rootkit detection technology based on GMER, avast! ANTIROOTKIT only managed to detect All In One Keylogger while missing the other two driver-based rootkit keyloggers. Clicking the “Fix Now!” button successfully deleted the files after a restart.
2. AVG Anti-Rootkit
This free anti-rootkit tool by AVG suffers the same fate as avast! because it has been abandoned since 2006 due to the integration of this anti-rootkit into their antivirus software. The program requires installation, a reboot and either manually run as admin or disable UAC to run. The result of AVG Anti-Rootkit is also the same as avast! where only All In One Keylogger is detected while missing Elite Keylogger and Invisible KeyLogger Stealth. The “Remove selected items” button does not delete the infected files but replaces the last character of the file’s extension with an underscore, for example from .exe to .ex_
3. Bitdefender Removal Tool / Rootkit Remover
We weren’t able to determine the if Bitdefender’s antirootkit tool is called “Removal Tool” or “Rootkit Remover” because the program’s name and website says differently when they are the exact same application. Bitdefender Removal Tool is free, portable and up-to-date (last update on February 2013) but can only detect known rootkits through signatures and not the undetected ones. The scan takes merely a second to tell you if there are any rootkit threats detected. Both 32-bit and 64-bit versions available. Bitdefender Rootkit Remover fail to detect all 3 rootkit keyloggers.
HitmanPro is a popular second opinion malware scanner that first uses behavioral analysis to determine if a file is a possible threat and then automatically uploads the file to have it scanned in the cloud with 5 different antiviruses for confirmation. Although HitmanPro is shareware, you can use it to scan your computer for free while removal is only available during the 30-days trial. All In One Keylogger was detected because Ikarus and G Data indicated that the file is malicious. HitmanPro found Elite Keylogger files to be suspicious but wasn’t flagged as a threat because none of the antiviruses detected it as malicious after the cloud scan. Invisible KeyLogger Stealth wasn’t detected at all.
5. Kaspersky TDSSKiller
Kaspersky TDSSKiller started off as a removal tool to detect and clean up the Alureon/TDSS/TDL rootkit and has grown to recognize a few other rootkits including bootkits. Upon testing, Kaspersky TDSSKiller missed all 3 rootkit keyloggers and even wrongly detected 3 legitimate system (.SYS) files belonging to COMODO Time Machine as suspicious objects with medium risk.
6. Malwarebytes Anti-Rootkit
Malwarebytes Anti-Rootkit is the new kid on the block for detecting and removing rootkits that is still in BETA status. It received a lot of reviews and publicity when it was released to public because everyone had very high hopes for products by Malwarebytes.
It is unclear what variants of rootkits can be detected by Malwarebytes Anti-Rootkit because it is not mentioned in their official website, but it failed to detect any of the 3 rootkit keyloggers during testing. A very useful tool called “FixDamage” that comes together in the ZIP archive file can be used to repair damages made by rootkit by restoring important Windows services.
7. McAfee Rootkit Remover
McAfee Rootkit Remover is a very simple and small (532KB) utility to detect and remove ZeroAccess and TDSS family of rootkits. The program runs on command line window, automatically checks for updates and takes only a few seconds to scan for rootkit infections. As expected, McAfee Rootkit Remover didn’t detect all 3 rootkit keyloggers as threat because it can only recognize 2 types of rootkits that was mentioned earlier.
8. Norton Power Eraser
We don’t normally see Symantec offering any of their tools for free. Even their rescue disk known as Norton Bootable Recovery Tool requires a valid product key to run. Thankfully there is one tool called Norton Power Eraser which is free to use for detecting and removing malware that is hidden deep inside the system.
It is a single portable executable file of only around 3MB in size. The Rootkit scan option is enabled by default in Settings and will first require a restart before performing a rootkit scan. Norton Power Eraser detected All In One Keylogger and Invisible KeyLogger Stealth. As for Elite Keylogger, one of the DLL files are flagged as unknown. Other than that, it also had 3 false positives by detecting COMODO Time Machine driver files as unsafe.
9. Trend Micro RootkitBuster
RootkitBuster is a free tool by Trend Micro that is able to check multiple locations in Windows such as the Master Boot Record (MBR), files, registry entries, kernel code patches, operating system service hooks, file streams, drivers, ports, processes and services to identify rootkit presence. It was last updated a month ago and has dedicated builds for both 32-bit and 64-bit.
RootkitBuster only managed to detect All In One Keylogger while missing the other 2. It also has the same false detection as Kaspersky TDSSKiller and Norton Power Eraser by wrongly identifying 3 system driver files as threats.
UnHackMe is the only shareware rootkit killer with monitoring capabilities to auto check your computer for any possible rootkit infection. The trial version of UnHackMe allows you to use it for 30 days without limitation. The program’s user interface looks simple enough for beginners to use and you can even send the generated regrunlog.txt report file to their support center to obtain advice if you’re not fully sure the detected unknown/suspicious file is indeed malicious.
There are a few buttons such as stopping a service, deleting a registry key and disabling autorun to help disable the suspicious file but we found that most effective one is the “Delete File at Next Reboot” if the malware is very persistent. UnHackMe found All In One Keylogger and Invisible KeyLogger Stealth but missed Elite Keylogger.
As you can see from the results above, very few automated rootkit detection tools manage to detect all 3 rootkits. Norton Power Eraser did the best by confirming 2 infections with 1 unknown status. There is another category of antirootkit utilities designed for more advanced users to manually analyze, decide and remove rootkits which can be found on the next page.
Unlike the previous list of antirootkit detection tools which is meant for average computer users to automatically recognize rootkit infections and offer to remove them, the 5 free utilities below are meant for advanced users to manually analyze hidden processes, drivers, registry keys, files, startup entries, services, scheduled tasks, ring0 and ring3 hooks, etc and self determine if the items are safe or malicious. Other than using them to detect rootkits, it can also be used to find other malware such as trojan, rogueware, worms and viruses.
AntiSpy is a new portable tool that the first version was released early 2013 and a new version has been released every month. The official website is in Chinese but the program is fully in English. Running the executable file will open up a window with a couple tabs allowing you to view both visible and hidden items.
As you can see from the AntiSpy screenshot above, a process colored in red is found to be suspicious and right clicking on the item provides many options to investigate or take action such as kill and delete file. The registry, service and autostart tab is worth looking at because you are able to delete protected registry keys that cannot be done from regedit.exe, view hidden services that don’t show up in services.msc and reveal hidden items that autostart with Windows. As good as it is, AntiSpy is short of a low-level file browser to view hidden files and folders.
GMER has been around since 2006 and is still being actively developed today with full 64-bit support. An advantage in GMER is it will automatically start a quick scan upon running to find system modification which might have been caused by rootkit activity.
We found that GMER is more of an analyzer rather than a tool to remove antirootkits because you can only kill process but without an option to delete running processes, modules, registry keys and autostart items. The “Files” tab where you can access your files from in an Explorer-like interface also doesn’t seem to show files and folders that are hidden by rootkits.
13. NoVirusThanks Anti-Rootkit
This anti-rootkit tool by NoVirusThanks is free for non commercial use and is recommended to be used by experienced users because the program shows a lot of technical information especially code hooks although the less experienced users can still run a quick scan on the Quick Report tab to find any process that runs hidden and is labeled as suspicious. There is a “Hosts File” tab which is often ignored by most antirootkit tools to check if it has been modified by malware block security websites.
The program requires installation and works from Windows 2000 to 7 on 32-bit only.
14. PC Hunter
PC Hunter is a free anti-rootkit that is developed from XueTr (also an anti-rootkit tool) that comes in both Free and Pro version. Compare to the rest, PC Hunter seems to have the most options to view processes, kernel module, ring0 and ring3 hooks, network connections, startup info, file association, firewall rules, and even useful tools like a registry editor, file manager, safeboot repair, enable disabled registry and task manager.
If you’re stuck with interpreting the results, it is possible to generate a report from the “Computer Examination” tab, export it to a external text file and send it to an expert to get help in identifying rootkits. PC Hunter works from Windows 2000 to 8 and even has a special 64-bit build that can be used from Windows 7 x64 onwards.
PowerTool is not just another rootkit analyzer tool because it has its own unique features. Other than viewing hidden process, kernel module, hooks, file, registry, startup items, services and network connections, some of the useful features found in PowerTool are showing the status of item that are normally disabled by malware from the System > Repair tab.
The loophole tab shows the critical patches that isn’t installed on your Windows operating system and the hardware tab analyzes the basic hardware on your computer together with the CPU, hard drive and video card temperature. The PowerTool for 32-bit is currently at version 4.3 while you should download the version 1.2 if you’re looking for the 64-bit. During testing we occasionally experienced the program crashing with a runtime error.
Additional Tests: There are some standalone offline on-demand malware scanners offered for free usage by antivirus companies that claims to detect rootkits. We’ve tested COMODO Cleaning Essentials, Dr.Web CureIt!, F-Secure Safe Easy Clean, Sophos Virus Removal Tool, VIPRE Rescue and VirIT eXplorer Lite but unfortunately none of them detected any of the 3 rootkit keyloggers installed on our test system.
Final Note: No matter how user friendly or easy it is to use the anti-rootkit tools, you must use it with care to avoid wrongly disabling an important process/driver that may cause Windows not to boot up properly. Always get advice from tech support forums or perhaps send the suspicious file to antivirus companies using X-Ray to get confirmation if the file is a rootkit.