Rootkit technologies are recently becoming more and more popular among virus makers. The reason is obvious – the possibility to hide the malware and its components from the users and antivirus programs. It's not difficult to finds open-source code of  , which certainly leads to a wide usage of this technology in different Trojan or spy programs, such as spyware/adware, keyloggers, so on.

Introduction

The rootkit is a program that hides any trace of the intruder or the malware in the system. Using the rootkit technologies allows the malware to hide all trace of its activity on the computer by masking the files, processes, as well as its presence in the system. To detect and delete such malware programs, there are a lot of specialized program products, like the antirootkits. In fact, many antivirus developers confirm their presence in functional products on detection of active rootkits. The goal of this test is to check the ability of the most popular antiviruses and antirootkits to detect and delete the widespread malware (ITW models) present in the system that use rootkit technologies. The test checks also the possibility of the proactive detection of programs that hide their presence in the system. This check test is carried out on conceptual demo-rootkits that demonstrate different possibilities of hiding in the system. Testing the widespread ITW-models of the malware shows how well the decisions under discussion deal with rootkits already known, whereas testing on concepts shows their ability to detect new unknown rootkits

Brief Test Results

The only Antivirus software that obtained Gold Award for its rootkit detection abilities is Kaspersky Antivirus 7.0. Other top-winners belong to the group of specialized rootkit defenders and doesn't offer the full range of protection to its users, like antivirus programs do.

The Rootkit Unhooker 3.7.300 was Best-of-the-Best among its competitors and collected the maximum number of points, 7.5

Participans

Eight antivirus products and eight specialized "rootkit-fighters" have been chosen for the test in accordance with the pre-defined methodology.

    Antivirus programs :

1. BitDefender Antivirus 2008

2. Dr.Web 4.44

3. F-Secure Anti-Virus 2008

4. Kaspersky Anti-Virus 7.0

5. McAfee VirusScan Plus 200

6. Eset Nod32 Anti-Virus 3.0

7. Symantec Anti-Virus 2008

8. Trend Micro Antivirus plus Antispyware 2008

    Anti-Rootkits:

1. AVG Anti-Rootkit 1.1

2. Avira Rootkit Detection 1.00.01.1

3. GMER 1.0.13

4. McAfee Rootkit Detective 1.1

5. Panda AntiRootkit 1.0

6. RkU 3.7

7. Sophos Anti-Rootkit 1.3

8. Trend Micro RootkitBuster 1.6

Four conceptual and six "wild" rootkits have been selected for the test, each of offered its its own masking technology. The set of samples was formed in strict  accordance with certain requirements, one of which was the coverage of all the masking methods used to hide the code in the system.

    "Wild" malware selected for the test:

1. Trojan-Spy.Win32.Goldun.hn

2. Trojan-Proxy.Win32.Wopla.ag

3. SpamTool.Win32.Mailbot.bd

4. Monitor.Win32.EliteKeylogger.21

5. Rootkit.Win32.Agent.ea

6. Rootkit.Win32.Podnuha.a

    Conceptual samples:

1. Unreal A (v1.0.1.0)

2. RkDemo v1.2

3. FuTo

4. HideToolz

Test was performed on a computer with under Windows XP SP2 OS installed between 15th October and 10th December 2007 in strict correspondence with methodology.

Test of abilities to detect malware code based on rootkit technology

Chart 1 and 2 displays the results of the proactive detection of conceptual rootkits by the antiviruses and antirootkits. As long as the concepts are not a threat to users, only their detection ability was tested (0.5 points for each of them found). 

The testing results of conceptual rootkits copies show that the proactive detection of active rootkits was carried out only by the antivirus products of Kaspersky Anti-Virus and F-Secure Anti-Virus.

Speaking about the specialized programs, all of them have to a certain extent the proactive detection of active rootkits. The best for this part of the test were considered Kaspersky Anti-Virus и Rootkit Unhooker, which detected all the submitted concepts of the rootkits.

In conclusion, testing results show that the specialized means of combating rootkits turned out to be more effective than the antivirus products.

Chart 1

Chart2

The best overall results among antivirus kits with integrated anti-rootkit modules were achieved by Dr.Web 4.44, Kaspersky Anti-Virus 7.0 and Symantec Anti-Virus 2008 (5, 4.5 and 4 point respectively).

Almost all specialized anti-rootkit products achieved good results except McAfee Rootkit Detective.