After spending a good deal of time chasing down and removing an infection of the SpyEye Trojan, I thought it might be fitting to write about detecting rootkits, and some of the free tools that are available to help you do so.

Generally, a rootkit can be defined as a piece of software that is designed to allow continued access to a compromised system for a malicious purpose. In the case of the SpyEye Trojan I mentioned above, it is to collect passwords, banking information, credit card numbers, social security numbers, and other sensitive information from someone using an infected machine. What makes them particularly nasty is that unlike most viruses, which usually have some immediate and obvious damaging effect, rootkits are designed to be completely hidden. A well crafted rootkit will not do any damage to the infected machine, and happily collect all of the above mentioned personal information without the user suspecting anything.

Rootkits typically hide themselves by altering the results being returned from the Windows API to control what the user sees. You might assume that REGEDIT, for example, is a low level tool that allows you to browse the registry directly, however it is rather just an application that requests data from the Windows API and displays the returned data. That being said, a Rootkit could place its startup information under [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run], but you wouldn’t be able to see the information via REGEDIT because it is being suppressed. The same thing can be done with files on disk or running processes, making the rootkit completely invisible in user mode.

To detect the presence of rootkits, you need tools that can bypass the Windows API and look at the information at the lowest possible level to make a comparison. While there are lots of tools that do this, my favorite is GMER. The rootkit/malware scan utility compares the raw data inside the registry and file system with the data that the Windows API returns to find all the mismatches. This gives you a nice list of all the items that are hidden, which will usually reveal most rootkits and offer to remove them for you. What also makes this utility great, is that it also gives you an “untainted” interface to directly view the process list, file system, services, and the registry.

GMER obviously isn’t your only choice (virtually all of the virus vendors offer free detectors), but I happen to like the more hands on approach and the additional browsing utilities that GMER includes.

I would recommend downloading and using these tools frequently, especially if you use your computer for online banking, bill pay, or other sensitive identity related activities.