Rootkits revealed
Daniele Muscetta (of Microsoft) posted a nice summary of some recent articles on Rootkits. He also included information on SysInternals' latest tool:
Also, Sysinternals has released today a Rootkit detector (looks like RootKits are finally getting a lot of attention these days...)
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
Nice tool. The RootKit Detector looks like it performs similar to GhostBuster, except without the CD reboot. It does a Windows API scan and then compares results to a file scan, all within the same OS session. While this is a good attempt to catch Rootkits, it can be argued it is not as ideal a solution as the CD reboot/offline scan found with GhostBuster. Here is an interesting blurb from the RootKit Detector's documentation:
Is there a sure-fire way to know of a rootkit's presence?
In general, not from within a running system. A kernel-mode rootkit can control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system data performed by RootkitRevealer can be compromised. While comparing an on-line scan of a system an off-line scan from a secure environment such as a boot into an CD-based operating system installation is more reliable, rootkits can target such tools to evade detection by even them.
The bottom line is that there will never be a universal rootkit scanner, but the most powerful scanners will be on-line/off-line comparison scanners that integrate with antivirus.
Unfortunately, the on-line/off-line method used by GhostBuster is not publically available from Microsoft Research (see Bruce Schneier's request for this). Hopefully we will have this kind of version available from someone soon.