Interesting (and remarkably simple) solution for hidden root kit files

Microsoft Research has a short but sweet paper on using hackers' tricks against them, including using differential file system scans (using WinDiff) from infected vs. clean OS boots to detect hidden files. A good read if you're determined to attempt cleanup of an infected system (generally not recommended) instead of flattening the machine and rebuilding it (generally the safer course):
Comments (5)

  1. Steve Hall says:

    The hyperlink doesn’t seem to work. Has this Tech. Report been removed from MSR’s website? If not, could you please tell us the title and author (so that we may use the search page to locate it…since I don’t see how one can search by Tech. Report number…)


  2. Don’t know why the link above isn’t working…perhaps a temporary glitch. If you do a search on the main page for WinDiff, you can find the following link:

  3. Steve Hall says:

    Thanks A LOT! The Strider Ghostbuster tool looks like a fantastic tool to have in my toolbox (automates the exact technique I’ve used on way too many infected PCs at work…). The Strider Gatekeeper that’s mentioned in the paper sounds similar to a tool I use on all my PCs: StartUpMonitor (available from Mike Lin at ). If I have time, I may try building my own copy of a GhostBuster CD…as I routinely maintain many different "lifeboats".

    It’s good to see that basic security research is producing viable tools. I’m hoping that these will be incorporated into any future MS anti-virus product!

Skip to main content