Rootkit Detection and Removal

The use of Rootkit technique in malicious codes has been on the rise in recent years because normal operating system tools (such as Task Manager and Service Control Manager, etc.), as well as conventional anti-virus applications, cannot consistently detect the existence of these malwares. Rootkit malwares are considered the biggest threat in the security industry at this time.

There are specialized Rootkit detectors such as IceSword (by Xfocus Team, http://www.xfocus.net), BlackLight (by F- Secure, http://www.f-secure.com/blacklight/blacklight.html), etc., which generally work successfully in finding Rootkit malwares. Almost all anti-Rootkit detectors use kernel mode drivers and as a result, they tend to be invasive.

These anti-Rootkit detectors are either GUI applications that need user attention; or they require custom scripts to run as a scheduled task which causes deployment and administrative difficulties in a corporate environment. The sole purpose of these specialized anti-Rootkit applications is to detect Rootkit malwares. They do not provide any other anti-virus or intrusion prevention functions.

The biggest weakness of all anti-Rootkit applications including Orthrus lies in the fact that hackers can simply write the Rootkit-powered malwares so that the anti-Rootkit detectors see them under normal circumstances. As there is no difference between the normal and the raw (deep-kernel-function examination) views, anti-Rootkit detectors will not be able to deduce the existence of Rootkit. The only exception to this rule is the application (SVV.exe) written by Joanna Rutkowska (http://invisiblethings.org/).

Orthrus handles Rootkit malwares in the following manner:

  • Running as a Windows service to monitor Rootkit installations in real-time all the time. Since the .net watcher technique lets Orthrus identify all INSTALLER activities (see Detect and Prevent Malware Intrusion section for more information on INSTALLER), Rootkit malware becomes the easiest intrusion to prevent because no ordinary application installer exhibits such Rootkit behavior.
  • For Rootkit malwares that reveal their identities to Orthrus, Orthrus sends the executable information to WNSC's secure web server so their security analysts can validate them. After being identified as malicious, these Rootkit malwares are quarantined just like any other normal malwares.
  • For pre-existing Rootkit malwares in Windows 2000 or Windows VISTA operating systems, Orthrus cannot remove them in this version and recommends other techniques (see FAQ.html) to perform the task.
 
    
    Free Orthrus Download | System Requirements | About Us | FAQ | Site License | Home