musc@> $daniele.work.ToString()

"Corporate" Blog of Daniele Muscetta, Premier Field Engineer.

Rootkit Detectors

MS Research has published some papers about Rootkit technologies and especially RootKit detection:
http://research.microsoft.com/rootkit/

This stuff is VERY GOOD to read, and has been positively commented by a lot of people, including Bruce Schneier: http://www.schneier.com/blog/archives/2005/02/ghostbuster.html

The straightforward links to some of these papers are:

Detecting Stealth Software with Strider GhostBuster
http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=875

GhostBuster tech report
http://research.microsoft.com/research/pubs/view.aspx?type=Technical%20Report&id=775

Of course I am not the first person to blog about this, there are loads of other people who spotted the thing earlier than I did, and this new has been commented by many people.
But it is very interesting, and I encourage everybody who hasn’t done it yet to read it.

Some other comments I spotted about these papers can be found at:
http://windowsir.blogspot.com/2005/02/rootkit-detection-ms-way.html


Also, Sysinternals has released today a Rootkit detector (looks like RootKits are finally getting a lot of attention these days…)
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

 

–edited again at 1:10 am [GMT+1]
now I see that Robert Hensing has been quicker than me, posting even twice about this subject today:
http://blogs.msdn.com/robert_hensing/archive/2005/02/22/378363.aspx
http://blogs.msdn.com/robert_hensing/archive/2005/02/22/378371.aspx