RootAlyzer
|
RootAlyzer detects various hiding methods usually used by rootkits. Until a more complex help file has been written, this page will try to provide you with explanations on why scan results appeared on your list.
Detects various hiding methods usually used by rootkits. Rootkits are a technology that is more and more often used by malware to hide themselves on system level, making themselves invisible to standard tools. This plugins help Spybot-S&D to detect this malware, and our RootAlyzer shows you anything that uses certain rootkit technologies, even if it's not in Spybot-S&Ds detection database.
The RootAlyzer is a single tool which goes through the file system, the registry and process related lists. When you start RootAlyzer, it performs a very quick scan of a few important places, taking about a second on modern machines. To check the full system, you have the possibility of choosing a Deep Scan.
1. Invisible to Win32
Windows NT, and its successors Windows 2000, XP and Vista, are designed in multiple layers: on top, the subsystem Win32 layer that all standard Windows applications use, and below that, a so-called native layer, used by drivers and the subsystem layer.
Now, if rootkits want to hide things, they can do so by hooking themselves into the Win32 layer, grabbing control over functions that return lists of files or registry keys and values, and manipulate those returned list to not show whatever they to to hide.
RootAlyzer locates such rootkits by browsing the selected drives and registry in both the Win32 and the native layers, and notifying you about any differences where files that appear through the core native functions are no longer visible through the application level Win32 functions.
2. Invisible processes
A process is the representation of any currently running application in your main memory. This does not only include the applications you can see, but various system tasks as well. If you've ever opened Windows' Task Manager, you might have noticed that it shows a list of processes.
Rootkits like to hide themselves in this list of running processes, making it impossible to see them through the tools shipped with Windows (e.g. Task Manager).
Every running process has a unique ID though, and even if a process is not appearing in the list of runinng processes, there are other system wide lists, e.g. the lists of threads and handles, that use this unique ID to remember which process their entries belong to. RootAlyzer looks through those lists for any ID that is not listed in the main process list.
To avoid confusion with lists getting out of sync, you should not open or close any other applications in the few seconds the Quick Scan takes.
3. Reserved filename
Windows reserves some filenames as representations of hardware devices for historical reasons, among them for example lpt1 for the first printer (first parallel interface, not USB). Standard applications therefore cannot access files that use such reserved names; native methods, as used by rootkits, can do so, and could use this method to hide things.
You can cross-check these results by opening the displayed file using FileAlyzer or even just notepad (don't ever save there though).
4. No admin in ACL
Every file, folder and registry key has associated Access Control Lists. These control which users and user groups may access the object, and how they may do so. RootAlyzer checks various parameters to check whether ACLs are modified and non-standard.
5. Unknown ADS
Alternate Data Streams are file contents that is attached to existing files. These are not visible through Windows Explorer; you need to use tools like FileAlyzer or FoldAlyzer to actually see them and their content. ADS are used for legit purposes (e.g. to store information that they were downloaded from the Internet, or document properties) as well, so RootAlyzer tries to filter out those. Still, the ADS listed by RootAlyzer might simple be those that are yet unknown to us (knowing all legit ADS is kind of impossible).
The license of this software is Freeware, you can free download and free use this trojan remover software.