F-Secure has finally taken the wraps off a new anti-rootkit tool they call Blacklight (I dig the name):
It seems to do a file system scan and may employ a similar technique to that of Rootkit Revealer and the Ghostbuster tools created by Microsoft Research.
Regarding your excellent post at (comments closed)
I'd just like to question that now that this information is public, don't you worry that running the WOLF tool on an live, still connected to internet machine, gives the possibility for this tool to get stolen? It seems that by keeping this tool private you have the possibility to hide some techniques it uses for detection, however if you allow customers run it like that I would imagine that now that everyone knows about it, it will be interesting challenge for malware guys to try steal it for investigation.
Of course if it uses no special "MS known only" tricks for detecting the rootkits perhaps its not such a big issue.
I read the interesting articles about RK's etc. So i thought you might like to know that i've got a thread going over at Wilders called - RootKit Detection Treasure Trove - which you may like to take a look at and follow, and/or even better hopefully contribute to if you wish.
It seems that we have two options w/ traditional rootkits; either the kit is detectable by a virus scanner, or the discrepancy would be noted by doing a file comparison when booting from trusted media.
One way this battle might be escalated would be to take a page from the trusted computing people. Consider the following: Small updates are made to both the system BIOS and hard disk firmware. On boot, the BIOS detects whether it is booting from the r00ted drive. If so, it notifies the drive that it may proceed to load the malware. This would take the form of detecting bootloader or kernel code and inserting a startup hook for the malware. The malware could be retrieved any EEPROM in the system with sufficient space, or even in "bad" sectors on the hard disk (less stealthy, but more space to work with).
This should defeat offline file comparisons, but would require customizations that would prevent it from being used in anything more than a custom attack. In theory, small timing differences should be noticeable with the malware running. Which reminds me; you could build a profiler into a host IDS that would generate profiles on access times to various resources, and flag any anomalies. Hmm....