Rootkits are normally not visible to traditional AVs since they hide by installing themselves as kernel modules, low level hooks and by patching undocumented OS functions. Rootkits may not be malicious on their own but they're used by hackers to hide utilities and malware. We're seeing more and more malware samples every day that use rootkit technologies to hide their presence.
Panda AntiRootkit (Codename Tucan) shows hidden system resources, identifying known and unknown rootkits. Tucan analizes the following system components:
– Hidden drivers
– Hidden processes
– Hidden modules
– Hidden files
– Hidden registry entries
– SDT modifications
– EAT hooks
– Modification to the IDT
– Non standard INT2E
– Non standard SYSENTER
– IRP hooks
– And more…
Unlike other rootkit utilities which merely "reveal" hidden objects, Tucan positively identifies known and unknown rootkits and gives the option of removing them, including their associated registry entries, processes and files.
Of course this is still apha code so all typical disclaimers apply. We're not responsible if this breaks your machine so make sure to run it only on test systems. There's also a command-line version in case you're interested. Contact me privately for that.
UPDATE 12/29/2006
We have just released Panda AntiRootkit (Codename Tucan) to public beta. Click here to download version 1.05.
UPDATE 4/2/2007
Panda AntiRootkit 1.06 has been released. Visit the updated Panda AntiRootkit page to find out more and download it.
UPDATE 9/11/2007
You can find the updated page for Panda Anti-Rootkit here.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
10 comments
Bad news: This application doesn’t support Windows 2003 Server ๐ I hope it will be correcte.
Regarding support of Server OS, we decided to cut this off during the beta phase. We want to make sure it’s stable enough before letting people run it on a server.
Is it new ?
I received a rootkit from the music cd U-2 under the joshua tree by island records.Is there a name for this rootkit or a way to remove it?
Could you please run Panda Anti-Rootkit and once the rootkit is found submit it to Panda for analysis. We’ll take a look at it in our lab to see if it is in fact a rootkit.
It does not work on Windows XP Professional x64 Edition ๐ any help
best regards
Sorry zetaphone, no support for x64 on the free Anti-Rootkit util. However we have integrated the rootkit detection techniques in our commercial products which do support x64. You might want to give that a try:
http://pandasecurity.lin3sdev.com/usa/homeusers/downloads/evaluation/
Any support to this recent date of Aug. 2008?
I have this hidden system file, that if removed will just re appear with a different name. It came from a trojan or worm seen by AVG as a rootkit. They ID it as “Trojan horse PSW.OnlineGames_r.G” and also with this other extension AYRW in place of the r.G.
WeldTech, I recommend you scan your PC in-depth with various online scanners such as ActiveScan 2.0 (pandasecurity.lin3sdev.com/activescan). It’s possible that the rootkit is being re-infected by a separate piece of malware.
As a second opinion try scanning your PC with bootable solutions (BartPE, Microsoft’s anti-rootkit bootable image, etc.).
"Rootkit scanning, detection and removal" Sophos Anti-Rootkit is another free rootkit removal tool which i find to be very effective and user friendly at removing rootkits. It's scanning speed is pretty quick too.
James