Rootkits are becoming more prevalent and more difficult to find. Technicians need to be aware of the best software tools that will detect and remove this elusive software. Here is a list of rootkit removal tools that will work on the major operating systems.
Rootkit Revealer is part of the sysinternals suite and is a free portable rootkit scanner. This tool was featured as a repair tool of the week.
Sophos Rootkit Scanner
Sophos offers a suite of security software but most notably they have a free rootkit detector and removal tool available here:
GMER is a powerful rootkit scanner and usually my first “go-to” rootkit scanner when I suspect suspicious activity above and beyond typical malware. It’s quite small and portable.
A great free tool from Kaspersky. It’s portable and easy to use with a simple GUI. This tool recently helped me find a rootkit that was causing multiple browser hijacks. I could not find the rootkit with any malware scanner, HijackThis, Process Explorer, or a couple other rootkit scanners. I ran this tool and it found it almost instantly (this particular rootkit was part of the rootkit.win32.TDSS family). TDSSKiller will search for the win32.TDSS family of rootkits as well as bootkits (MBR rootkits/malware) and other suspicious services.
Microsoft Standalone System Sweeper Beta
This is a fairly new application (still in beta!) that you can boot from a cd or flash drive. It is meant for situations where you can’t boot into a pc due to malicious software/activity. The program detects and removes rootkits and other malware.
Check it out here: Download
(NOTE: This is an excerpt from the Microsoft website regarding licensing for the System Sweeper Tool. Please read the license agreement at the bottom of the page or contact Microsoft for more information.
“INSTALLATION AND USE RIGHTS.
a. Home Use. If you are a home user, then you may install and use any number of copies of the software on your personal devices for use by people who reside in your household to test how it runs with your programs. As a home user, you may not use the software in any commercial, non-profit, or revenue generating business activities.
b. Small Business. If you operate a small business, then you may install and use the software on up to ten (10) devices in your business to test how it runs with your programs.
d. Separation of Components. The components of the software are licensed as a single unit. You may not separate the components and install them on different devices.
e. Included Microsoft Programs. The software may contain other Microsoft programs. The license terms with those programs apply to your use of them.”)
AVG Rootkit Scanner
This is the rootkit scanner that comes bundled with AVG anti-virus. It was only available in the paid version up until AVG 2010 was released; now it comes bundled with the free anti-virus download. In my experience it works pretty well and has detected some rootkits that went otherwise unnoticed. Most well known anti-virus suites do come with a rootkit scanner.
Prevx offers a suite of paid security tools; however they do offer a free trial version that includes a rootkit scanner.
RootRepeal is a rootkit detector that seems to be in a perpetual beta, so use it at your own risk and take precautions. It has an advanced rootkit detector for Windows XP and Vista. This was also featured in a Repair Tool of the Week Article
Linux and Apple Mac OSX Based
Let’s not forget our Unix based systems! It’s fairly slim pickings for rootkit scanners on these operating systems, but there are two that I know of that work well. As the popularity of these systems continue to grow I believe we will be seeing more security concerns, hence more tools.
A rootkit detector that searches system binaries for modifications.
This is a free tool that will search for backdoors and exploits by comparing MD5 hashes and strange file activity.
Lookout Mobile Security
Lookout is a security application for Android, Windows phone7, and Blackberry mobile devices. It isn’t necessarily a rootkit tool but I wanted to include a security tool for the ever increasing mobile platforms. The more a platform grows in popularity the more it will be attacked.