Rootkit Detection Coming to Windows AntiSpyware
Strider Ghostbuster, a prototype tool developed by Microsoft Corp.s Cybersecurity and Systems Management Research Group, provides a straightforward way to detect Windows rootkits by comparing scan results between a clean system and one that may potentially be compromised.
Details of Microsofts plans remain scarce, but sources say the company has grown increasingly worried about the threat from stealth rootkits.
The integration is unlikely to happen in time for the next Windows AntiSpyware beta refresh.
Company officials declined to discuss specific plans going forward. "We have not made any public commitments to include functionality from that project in Microsoft products at this time," a Microsoft spokesperson said.
In a recent interview, Mike Nash, corporate vice president at Microsofts Security Business and Technology Unit, was asked if the company plans to include Strider Ghostbuster in Windows AntiSpyware.
"We cant be specific about that," Nash said, adding that Microsoft was adopting "a combination of cleaning and blocking" to combat spyware.
"We need to understand that better," Nash said.
While acknowledging the importance of the threat of rootkits, Nash said Microsoft is currently focusing its anti-spyware beta on "bots."
On the Strider Ghostbuster Web page, the company has said the tool will be released either as a research prototype or as part of Microsoft products.
Word of Microsofts plans comes at a time when security researchers are discovering rootkit-like features in common spyware programs.
By using rootkit techniques, sophisticated spyware coders are able to gain administrative access to compromised machines to run stealthy updates to the software or reinstall spyware programs after a user deletes them.
Using a rootkit, a malicious hacker can also perform system scans and modify data without any user interaction.
Microsoft has already added rootkit-detection to its free malicious software removal tool.
The malware remover is capable of detecting four child variants of Hacker Defender (Win32/Hackdef), one of the more notorious rootkit programs.
According to definitions posted by Computer Associates International Inc., Hacker Defender is a Trojan creation tool that can be used to wrap existing Trojans to make them harder to detect. It can also hide proxy services and back-door functionality, and conceal use of TCP and UDP (User Datagram Protocol) ports for receiving commands from attackers.
Microsoft isnt the only software vendor targeting rootkits. Finnish anti-virus specialist F-Secure Corp. recently released its BlackLight Rootkit Elimination Technology, while Sysinternals Freeware, a site that offers Windows utilities, also offers RootkitRevealer, a tool capable of finding registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
Microsoft Watchs Mary Jo Foley contributed to this report.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.