Arch Linux

Gullible Jones

Member

Registered: 2004-12-29

Posts: 4,863

Windows antirootkit tools that run in Linux

Today I just finished repairing someone's Windows Vista installation. The person in question had come across a hacked website while browsing with UAC and Protected Mode turned off, relying solely on McAfee AV and Windows Defender for their protection.

I was (apparently) able to clean up the aftermath using the Kaspersky live CD, Malwarebytes Antimalware, and HijackThis. However, several Windows based antirootkit tools I tried to run - Gmer, Avira Antirootkit, and Rootkit Revealer - all failed, leading me to suspect a rootkit infection. The (generally poor quality) antirootkits I could get running didn't turn up anything, but I was still suspicious.

I wound up abandoning the rootkit search after scanning with SuperAntiSpyware and ClamAV and Avira live CDs, as well as Sophos Antirootkit and Trend Micro RootkitBuster, all of which turned up nothing. But I'm still annnoyed that I wasn't able to get in a dedicated antirootkit scan from a live CD.

Now normally my solution would be to create a BartPE live CD with Gmer or something on it. Unfortunately though, I don't feel like forking out a day's worth of work for Windows 7 or Vista SP2, and the security situation on XP SP3 has gotten so vile that I feel it's simply no longer viable as a personal OS. So my netbook has only Linux partitions now, and all the other computers in the house are either Ubuntu LTS, Windows 2000, or G3s running MacOS 9.x. (No I'm not kidding.) In other words, BartPE would be a real pain to set up.

So...

Does anyone know of dedicated software for detecting Windows rootkits, that can run in a live Linux environment? It looks like I got lucky this time, but next time I'd rather not rely so much on luck.

skottish

Forum Fellow

From: Here

Registered: 2006-06-16

Posts: 7,942

Re: Windows antirootkit tools that run in Linux

ckrootkit and rkhunter are both good, but neither are dedicated to Windows.