Security UPDATE--Rootkit Removal Tools--August 30, 2006


How to Improve Network Security Without Extra Staff or Busting Your Budget

Symantec Webcast : Symantec Packager - Tap into the Power

Manage Vulnerabilities. Defend Against Threats.



IN FOCUS: Rootkit Removal Tools


- Time to Upgrade SUS to WSUS

- Big Blue to Pay $1.3 Billion for ISS

- Citrix and Microsoft Team Up to Develop New Appliance

- Recent Security Vulnerabilities


- Security Matters Blog: IE Bug Worse Than Expected

- FAQ: Block IE 7.0 Installation

- Share Your Security Tips


- Managing and Reporting Security Events

- Wanted: Your Reviews of Products




=== SPONSOR: AlertLogic


How to Improve Network Security Without Extra Staff or Busting Your Budget

Who couldn't use some extra protection? Worms and malicious intruders can attack your network anytime, so make sure that your defenses are at their strongest, especially for your small- and medium-sized businesses. If IDS/IPS appliances are too costly and difficult to maintain, learn how a turn-key solution can provide the protection you need at a price you can afford.

=== IN FOCUS: Rootkit Removal Tools


by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Rootkits are a growing problem, and as you might expect, the list of tools that can help you prevent rootkit infiltration is also growing. The list of standalone tools that can help with rootkit detection and removal is also expanding. This week, I give you a list of the standalone detection and removal tools that I know about.

The alphabetical list below can be a resource to help you add some useful tools to your security toolkit. As with antivirus and antispyware tools, using multiple rootkit detection and removal tools is a good idea because not every tool can detect and remove every rootkit.

Of the tools listed, I've used RootkitRevealer, F-Secure BlackLight, Sophos Anti-Rootkit, and IceSword, all of which are from entities that I'm familiar with and trust to some extent or other.

A few of the tools on the list (GMER, DarkSpy, and Rootkit Unhooker) look interesting, but I have no idea who the authors are, nor do their Web sites offer much information to lend insight. So although I included them in the list, definitely use your own discretion.

There are undoubtedly other related tools available that I'm not aware of; if you know of one, please send me an email with details. If you've tried one of the tools below, let me know about your experiences with it.

BitDefender RootkitUncover beta, from SoftWin

This tool is currently available as a free beta and looks promising, particularly because it's from SoftWin, makers of BitDefender.

DarkSpy, from DarkSpy Security Group

This tool is from a group of Chinese security researchers that I'm unfamiliar with. The download page for the tool says, "Use at your own risk," and you'd be wise to take that advice; however, it might give you a little comfort to know that this tool was recently mentioned in the SANS Internet Storm Center's Handler's Diary. Click the second URL under the Helios entry below to link to that mention.

F-Secure BlackLight

This is a standalone "trialware" tool, meaning that it periodically expires after a certain date--currently October 1. It's also a standard component of F-Secure's Internet Security 2006 package.

GMER, from an unknown independent Polish developer

Although no information is readily available about who developed this tool, its Web site has several screenshots and some movies (in .wmv and .avi format) that show the tool in action. So you can get a good idea of what it's like before using it.

Helios, from MIEL e-Security

This is a new tool, currently in "alpha" development, that looks promising. For some good insight into Helios, go to the second URL below to read the SANS Handler's Diary entry for July 26, in which you can also see some screen shots of the tool in action.

IceSword, by Xfocus Team

IceSword has proven useful to many security administrators. Xfocus is a group of Chinese security researchers, and while the site is written in Chinese, you can use AltaVista's Babel Fish Translation engine (at the second URL below) to view it in English. You can also use Babel Fish to translate the Chinese documentation.

RKDetector, by Miguel Tarasco Acuna

This toolkit comes in two parts: A file system analyzer and an Import Address Table (IAT) analyzer. The file system analyzer scans the file system and registry, and the IAT analyzer scans memory space for alterations that would allow rootkits to hook into the system. Screen shots are available to give you a good idea of what the tool looks like.

RootKit Hook Analyzer, from Resplendence Software Projects

Although most rootkit detection tools look at kernel hooks, the file system, the registry, user accounts, and so on, this particular tool focuses exclusively on kernel hooks.

RootkitRevealer, from Sysinternals

A tool written by Mark Russinovich and Bryce Cogswell, two very well known Windows experts.

Rootkit Unhooker, from UG North

Although I have no idea who UG North is, the tool looks promising. It checks for unwanted processes and system hooks and can help terminate such processes.

Sophos Anti-Rootkit

This standalone tool offers both a GUI and a command line version and is similar to the antirootkit technology built into the Sophos Anti-Virus for Windows solution.

System Virginity Verifier, FLISTER, and KLISTER, by Joanna Rutkowska

These tools specifically look for hidden files and at various system components that might be modified by various rootkit techniques. Source code is included. Rutkowska is a well-known researcher.

UnHackMe, from Greatis Software

While all the other listed tools are free, this tool is priced starting at $19.95 for a single license. You can view screen shots of the tool to see what it looks like and download a working demo if you're interested.


Regional Events Cover 4 Key Interoperability Topics

Are you a Windows fan, a UNIX diehard, a Linux lover, or all of the above? Check out TechX World, an OS-agnostic event designed to give you insider tips on coping in a Windows-plus world.

Designed specifically for IT professionals who work in a multi-OS environment, TechX World is a four-track, one-day event featuring technical experts Michael Otey, Gil Kirkpatrick, Dustin Puryear, and Randy Dyess providing information about OS interoperability, data interoperability, directory and security integration, and virtualization.

The regional event series will visit four cities from October 24 through November 2: Washington D.C., Chicago, Dallas, and San Francisco. Attendees who register before August 31 will receive early bird pricing and a one-year subscription to Windows IT Pro. At $129 per person for four tracks and a full day of learning, it's worth sending the entire team to make sure you cover all the sessions. For complete agenda and speaker details, go to

=== SPONSOR: Symantec


Symantec Webcast : Symantec Packager - Tap into the Power

Need to extend your IT administration reach and connect to the devices? This webcast is designed for IT professionals interested in the functionality of Symantec Packager. Topics to be covered include product functionality, the product basics, as well as configuring and deployment with specific examples for pcAnywhere Host and Remote installations.

Date: September 7, 2006, 9:00am PDT, 12:00pm EDT

Speaker: Sandra Stamler, Product Marketing Manager

Register now at



Time to Upgrade SUS to WSUS

Microsoft ceased distributing Software Update Services (SUS) August 24 and will stop delivering updates via SUS December 6. The company will no longer support SUS after the December date. For administrators who rely on SUS, it's a great time to upgrade to Windows Server Update Services (WSUS).

Big Blue to Pay $1.3 Billion for ISS

IBM announced that it has entered into a deal to buy Internet Security Systems (ISS) for $1.3 billion in cash. Upon closing of the acquisition, ISS will become a security business unit at IBM within the company's Global Services organization.

Citrix and Microsoft Team Up to Develop New Appliance

The new Citrix WANScaler appliance is aimed squarely at improving delivery of applications to branch offices and will be based on Microsoft Windows Server 2003, Internet Security and Accleration (ISA) Server to provide added security, and WANScaler technology to improve network and application performance.

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

=== SPONSOR: Core Security


Manage Vulnerabilities. Defend Against Threats.

Your IT and Security budgets are tight. This White Paper shows real-world case studies demonstrating the ROI potential of automated penetration testing.




by Mark Joseph Edwards,

Microsoft Security Bulletin MS06-042--Cumulative Security Update for Internet Explorer has now been re-released to fix an exploitable vulnerability introduced by the original patch. The vulnerability involves long URLs in conjunction with HTTP 1.1 and compression. Be sure to read the updated bulletin and apply the latest version of the patch.

FAQ: Block IE 7.0 Installation

by John Savill,

Q: How can I block Microsoft Internet Explorer (IE) 7.0 installation via the registry?

Find the answer at


Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.



by Renee Munshi, [email protected]

Managing and Reporting Security Events

CrossTec has released version 3.5 of its Activeworx Security Center event management software. The upgrade contains a new internal reporting center instead of the Crystal Reports software in previous versions (Crystal Reports will still be optional). Activeworx 3.5 lets users control parameters and schedule automated reporting tasks and comes with more than 200 new PCI, SOX, GLBA, and HIPAA reports. Integration with the Snort intrusion detection system (IDS) provides event information. Activeworx 3.5's correlation engine has been benchmarked at more than 15,000 events per second. Activeworx 3.5's console is customizable and can be modified to display the entire network or just portions of it. An Activeworx deployment starts at $2500. For more information, visit

WANTED: your reviews of products you've tested and used in production. Send your experiences and ratings of products to [email protected] and get a Best Buy gift certificate.



Gear up for TechX World Roadshow

Hear first-hand from leading interoperability experts, vendors, and peers at this exclusive one-day event. You'll learn about managing OS interoperability, directory migration, data interoperability, and much more. This event provides in-depth information on how Windows and other systems cooperate with each other.

Does your company have $500,000 to spend on one email discovery request? Join us for this free Web seminar to learn how you can implement an email archiving solution to optimize email management and proactively take control of e-discovery--and save the IT search party for when you really need it! Live Event: Tuesday, September 12

You know you need to manage your email data; how do you do it? What steps are you taking? What additional measures should you enact? What shouldn't you do? Learn the answers to these questions and get control of your vital messaging data. Download the free eBook today!

Dramatically simplify Exchange troubleshooting with an in-depth look at built-in troubleshooting tools and third-party applications. Join us as we analyze a typical troubleshooting process, address the problems with using standard tools, and learn how automated troubleshooting can solve these challenges. Live Event: Thursday, September 14

Are you protected company-wide against spyware, keyloggers, adware, and backdoor Trojan horses? Test the state-of-the-art scanning engine that uses threat signatures from multiple sources to track down the culprits that antivirus solutions alone can't protect you against. Download your free 30-day trial of CounterSpy Enterprise today!



Help your small or midsized business protect one of its most valuable assets--business information. Easily store, manage, protect, and share information by using hardware designed with the needs of your business in mind. Manage IT without the large staff and extensive training--learn how today!



Invitation for VIP Access For only $29.95 per month, you'll get instant VIP online access to ALL articles published in Windows IT Pro, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. Sign up now:

Save $40 off Windows IT Pro

Subscribe to Windows IT Pro today and SAVE up to $40! Along with your 12 issues, you'll get FREE access to the entire Windows IT Pro online article archive, which houses more than 9,000 helpful IT articles. This is a limited-time offer, so order now:


Security UDPATE is brought to you by the Windows IT Pro Web site's Security page (first URL below) and the Windows IT Security newsletter (subscribe at the second URL below).

Subscribe to Security UPDATE at

Unsubscribe by clicking

Be sure to add [email protected] to your antispam software's list of allowed senders.

To contact us:

About Security UPDATE content -- [email protected]

About technical questions --

About your product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.