Primer: How To Root Out Rootkits

There's no easy way to remove a rootkit -- it requires a "wipe and restore" -- but you can get some help with the diagonsis from RootkitRevealer.

InformationWeek Staff, Contributor

November 5, 2005

4 Min Read
InformationWeek logo in a gray background | InformationWeek

Interpreting RootkitRevealer Results

In the vast majority of cases, the Description field for discrepancies in RootkitRevealer will report either "Visible in Windows API, but not in MFT or directory index" or "Hidden from Windows API," as shown in another set of results I provoked from my test machine by running the tool. Note that the result looks different from previous screenshots because I stretched the display to list most directories and all descriptions in full:


After carefully inspecting all of these entries, I found they’re mostly temp files, or links to temp files. The jpeg file was opened and closed while the scan was running, which apparently resulted in having it reported as "Hidden from Windows API." Talk about thorough!

The RootkitRevealer home page devotes most of its coverage to explaining how to interpret the output. It lists the following possible descriptions:

  • Hidden from Windows API: While this result is common for rootkit-related items, it’s also common for NTFS metadata files (which the file system routinely hides), and for temp files that may have been in use or deleted while the scan is underway. As I've already discussed, it’s best if no other applications are running on the system while the scan is underway.

  • Access is Denied:

    • Visible in Windows API, directory index, but not in MFT.

    • Visible in Windows API, but not in MFT or directory index.

    • Visible in Windows API, MFT, but not in directory index.

      Note: Though the software’s authors claim you should never see this string, they list it anyway. It never came up during my testing.

  • Visible in directory index, but not Windows API or MFT: A complete file scan checks all three of these types of components: the Windows API, the master file table (MFT), and on-disk directory structures associated with NTFS. Discrepancies are reported when a file shows up in one or two scan passes (but not all three), and they occur most commonly when files are created or deleted while a scan is underway. Again, it's best to not run other apps while RootkitRevealer is scanning.

  • Windows API length not consistent with raw hive data: Rootkits sometimes disguise themselves by misreporting the length of a Registry value to make its contents inaccessible to the Windows API. This is worth a closer look, even though it may simply indicate a Registry value that changed during a scan.

  • Type mismatch between Windows API and raw hive data: Rootkits can deliberately misrepresent data types to make Registry entries inaccessible to the Windows API. Should this occur, investigate thoroughly.

  • Key name contains embedded nulls: Where the kernel treats key names as counted (fixed-length) strings, the Windows API treats them as null-terminated strings. This makes it possible to create Registry keys that are fully visible to the kernel, yet only partially visible to the Windows API. Sysinternals offers a "Reghide" code example that demonstrates this technique, which is used by both rootkits and other forms of malware.

  • Data mismatch between Windows API and raw hive data: This occurs when a Registry value gets updated while a scan is underway. It often relates to things like MS SQL Server uptime or virus scanner "last scan" values. But if you see any such entries, investigate them to make sure they’re legitimate.

To further interpret RootkitRevealer's results, you'll need to determine the origin or cause of what’s been reported. Googling the name of the Registry key or the file for which a discrepancy is discovered is a good place to start. This will often help to illuminate whether the symptom is benign or malign. Happily, most cases will turn out to be benign, as explained earlier. But if not, the Sysinternals RootkitRevealer Forum is a great source of potential help. Also, the forums at Rootkit.com are a valuable information resource on this topic.

If you do find reports from RootkitRevealer that suggest the possible presence of a rootkit, remember that no tools currently exist that can clean up a rootkit infestation. Thus, the only remedy is to format the drive, then reinstall Windows and all necessary applications. Of course, if you don’t have a current backup of that system, you’ll want to obtain one before proceeding with wipe and restore maneuvers. And I strongly urge you to boot from a repair CD to run the backup. Then back up only those data files outside the OS folder hierarchy, to make certain you’re not backing up the rootkit along with everything else.

Bottom line: System builders who build and maintain Windows systems should make RootkitRevealer a standard part of their security toolkit. I liked it so much, I've even created weekly Task Scheduler jobs on all my machines to run RootkitRevealer as part of my ongoing security maintenance routine.

Read more on Rootkit news on our site.

Finally, for even more information on the latest developments on rootkits, visit anti-malware sites like Security Response, and the aforementioned Rookit.com.

ED TITTEL is a freelance writer who specializes in markup languages, PCs, and networking topics. He's contributed to more than 130 books, including titles on spyware and IT certification. His upcoming book is Build The Ultimate Home Theater PC (John Wiley, November 2005). Ed has no commercial interest in any of the products, companies, or sites mentioned in this TechBuilder Recipe.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights