Detecting rootkits in this situation is really tough, but there are several different techniques that can potentially be employed and new ones are being developed. None, however, are perfect.
To make matters worse, rootkit programmers are aware of these techniques and are constantly developing their rootkits to evade new detection methods. In effect, just as with other malware, it's become a cat-and-mouse game between the bad guys and those developing protection.
What that means is there is currently no such thing as a perfect rootkit detector. The good news is that it also means there is probably no such thing as a perfect rootkit, either.
This situation means that users should not lock into the idea that one particular rootkit detector is "the best".
Indeed, for how to defeat a rootkit, I suggest you adopt the practice of using more than one detector... for a selection of software, see Commercial And Free Rootkit Scanner Downloads.
You should also ensure that you regularly update your rootkit detectors, as the current cat-and-mouse game means that products are constantly evolving.
2. How To Defeat A Rootkit...
If the operating system of your computer is already contaminated with this type of rootkit, its reliability and trustworthiness is low. For example, if you request a report or a list of all the running programs, such as within Task Manager, you could just as well get a report generated by the rootkit -- not the actual program list.
Similarly, there will be no visible rootkit entries in the Windows Startup folder or other startup locations.
So, manual rootkit detection that relies on the live system can be difficult. However, it's not impossible -- mostly because currently there are no rootkits that can hide themselves completely.
So, what are the reliable ways of manually detecting rootkits?
If an uninfected copy of the test system is available as a reference, rootkits can be detected by doing a file-by-file comparison between the current system and the uninfected copy.
Here the infected system is treated just as data, so the cloaking effect of the rootkit is not in play. In this situation, the rootkit and its payload can be easily discovered.
However, this is a situation that would be rarely encountered in practice, as almost no one has a reference copy of their system. Systems are not static anyway... legitimate changes are constantly taking place within a system and such changes make simple file comparisons difficult.
The best rootkit detection method requires you to shut down the system and check its storage by choosing an alternative boot device, such as a CD Rom or a USB drive.
Because the system boots from an alternative media source, you will be able to bypass the rootkit. So, now you know how to prevent the rootkit from becoming active, but not how to detect and remove it.
The next step is to use a good antivirus program, such as
, that will track down rootkits by using the standard operating system (OS) calls... but remember that complex rootkits will protect themselves by suspending their activity when they detect a scan has been initiated.
For how to conduct a secure data wipe, see the section Permanently Delete Files To Securely Remove Data
After a fresh installation of the operating system you should monitor the files and save the logs. Also, do this after installing other software titles and compare the reports. Now you'll be able to compare these logs with your current live system to determine whether there has been a further rootkit infection.
Although this system is a bit complicated and not advisable for the majority of home users, it is also the most effective rootkit prevention technique.
Specialists refer to this as "fingerprinting" -- during the process a hash function is used to track down changes in the data. Compression of the hash files will reveal changes that were not made intentionally by the system administrator, thus revealing any hidden rootkits.