AVG Does Freebie RootKit Detector

They’re evil; they’re nasty; we hate them; and we’re still pissed at Sony for bringing them into the limelight. Rootkits. Ugly bits of malware code that dig deep into your OS kernel, there to hide and do their nefarious business beneath the radar of your average AV program.

Sony’s ill-thought out rootkit served to ‘protect’ their music CDs from being ripped by customers. That’s actually tame compared to what rootkits do nowadays. They’re usually in place to hide some real destructive code like a keylogger.

I talked to David Moll, CEO of Webroot, about a year ago about the changing trends in malware. He mentioned keyloggers being installed as rootkits specifically. Worse, he explained that keyloggers are now getting smart. Used to be they’d just snapshot everything you entered for X number of hours, then zap the info off to the bad guy as an ASCII file. No longer.

Today’s keyloggers are smart enough to know when you’re entering stuff they want to steal. Moll said these things are often coded to activate only when you’re hitting either a certain kind of Web site or even just a specific list of Web sites–like your bank’s Web site, for example. Only then do they start logging key info.

It’s a nastier world out there every day. Fortunately, Grisoft, the guys behind AVG, is trying to help. These guys put out a free anti-virus program, which has long been one of my favorites when I’m reviewing a loaner PC. Now they’ve got a freebie rootkit detector, too.

It’s for Windows, detects rootkits and removes them, too. You can download it here with a 30-day free commercial license included. After that, it’s free for home/non-business users only. AVG put the thing through a 6 month open beta test, so it should be fairly solid, but I’d still go easy before trying that removal tool in the wild. Whether or not the remover is free isn’t the issue–its that rootkits aren’t necessarily coded to any single set of rules and we’ve already experienced trouble when trying to simple yank some of them. Best to watch the Web for word on the effects of removing a specific rootkit before taking that risk.

I’d tell you to check Grisoft’s ongoing security blog to find out how it works on specific rootkits…but they don’t do one. An oversight if you ask me. Fortunately, there are independent sec info sources you can hit to find out about the effects of a removal tool before actually trying one. Garza over at InfoWorld’s Zero-Day usually knows what he’s talking about, so do the guys at ZoneLabs (tho they probably won’t help with AVG), but somebody over at Dark Reading definitely will.

Advertisements
Advertisement




17 Responses to AVG Does Freebie RootKit Detector

  1. Anyone ever feel nagging paranoia that these rootkit detectors are rootkits themselves? After all, the authors of the program sure would have the expertise…

    • Yeah, it's definitely gotten scarier now that rootkit technology is becoming popular and drifting into the spotlight. I can almost guarantee you that some of these rootkit detectors (any that sit in memory to provide active protection) also employ rootkit technology. Same probably goes for any decent antivirus app these days too, as well as some anti-spyware tools like Webroot Spysweeper Enterprise's client. It's necessary for them to dig into the kernel to protect themselves.

      Other legitimate software, such as Alcohol 120% employ rootkit technology as well. It's not the technology itself that is scary, bad, or deserves paranoid (though it is incredibly powerful). It's the usage for creating malware-rootkit-virus things that is scary and evil and stuff.

  2. Anyone ever feel nagging paranoia that these rootkit detectors are rootkits themselves? After all, the authors of the program sure would have the expertise…

    • Yeah, it’s definitely gotten scarier now that rootkit technology is becoming popular and drifting into the spotlight. I can almost guarantee you that some of these rootkit detectors (any that sit in memory to provide active protection) also employ rootkit technology. Same probably goes for any decent antivirus app these days too, as well as some anti-spyware tools like Webroot Spysweeper Enterprise’s client. It’s necessary for them to dig into the kernel to protect themselves.

      Other legitimate software, such as Alcohol 120% employ rootkit technology as well. It’s not the technology itself that is scary, bad, or deserves paranoid (though it is incredibly powerful). It’s the usage for creating malware-rootkit-virus things that is scary and evil and stuff.

  3. That's a good thing to know. AVG does some great stuff. I gave up Norton for good after using the AVG antivirus. I'm trying the Anti-Spyware right now and its working fine. I'll try the rootkit detector and see how it works.

  4. That’s a good thing to know. AVG does some great stuff. I gave up Norton for good after using the AVG antivirus. I’m trying the Anti-Spyware right now and its working fine. I’ll try the rootkit detector and see how it works.

  5. There are several comments about Anti-Rootkit software using rootkit like technology and that Sony introduced rootkits. I have a couple of comments about that.

    #1 The idea of rootkits goes way back into the *nix world. That is where the word came from: 'root' as in uber-user

    #2 Rootkits have been used for a while on Windows boxes, I read that Norton's undelete worked like a rootkit by hooking certain API calls so a file wasn't seen but still existed.

    #3 Read ROOTKITS.COM or Greg Huglung's "Exploiting Software"

    • Well to #1 I think a lot of people know they're older because of the root thing (at least the Unix/Linux/BSD sysadmins…), but Sony was the first uh "scandal" made of it.

  6. There are several comments about Anti-Rootkit software using rootkit like technology and that Sony introduced rootkits. I have a couple of comments about that.

    #1 The idea of rootkits goes way back into the *nix world. That is where the word came from: ‘root’ as in uber-user

    #2 Rootkits have been used for a while on Windows boxes, I read that Norton’s undelete worked like a rootkit by hooking certain API calls so a file wasn’t seen but still existed.

    #3 Read ROOTKITS.COM or Greg Huglung’s “Exploiting Software”

    • Well to #1 I think a lot of people know they’re older because of the root thing (at least the Unix/Linux/BSD sysadmins…), but Sony was the first uh “scandal” made of it.