Methodology for Anti-Rootkits Test of Malware Detection and Removal (March 2007)

For the purposes of testing, the expert group from selected nine malicious programs based on the following criteria:

  1. The malicious program should conceal its presence in the system using rootkit technology.
  2.  All selected samples should use different methods of concealing their presence in the system.
  3.  All samples taken together should, to the maximum extent possible, cover the range of technologies used by virus writers to conceal the presence of malicious programs in the system.
  4. All malicious programs selected were in the wild samples, i.e., they were collected as they were spreading over the Internet (in the wild). 

All samples used in the test are sufficiently common in the wild samples (), were detected during computer disinfection on numerous occasions (), and users invariably had problems with their detection and removal.

The following malicious programs were selected for testing purposes (the Kaspersky Lab classification is used here; alternative names used by other vendors can be found in the complete testing report):

  1. Backdoor.Win32.Haxdoor.fd
  3. Monitor.Win32.EliteKeylogger.21
  4. Monitor.Win32.SpyLantern.530
  8. Trojan.Win32.DNSChanger.ih

 Until the publication of the testing results, the list of malicious programs was kept secret and was not provided to any of the vendors whose anti-rootkit products were tested.

This analysis was conducted on a specially prepared workstation running under VMware Workstation version 5.5.3. A “clean” virtual machine running under Microsoft Windows XP Service Pack 2 was cloned for each malicious program sample.

The following anti-rootkit programs participated in the testing:

  1. Antivir Rootkit Beta 3
  2.  AVG Antirootkit Beta
  3. AVZ 4.23 *
  4. BitDefender Antirootkit Beta 2
  5. F-Secure BlackLight 2.2.1055 Beta
  6. Gmer
  7. McAfee Rootkit Detective Beta
  8. Rootkit Unhooker
  9. Sophos Anti-Rootkit 1.2.2
  10. Trend Micro RootkitBuster Beta
  11. UnHackMe 4.0

* AVZ is not a fully functional anti-rootkit program; it is a utility that performs a comprehensive analysis of the system.

A requirement for all anti-rootkit solutions tested was that their functionality should include not only the detection of rootkits, but also their removal (deletion / renaming of files, deletion / renaming of registry keys / sections).

Testing steps:

  1. The virtual machine was infected (activation of the malicious program).
  2. Verification that the virus has been successfully installed and is active.
  3. The infected system was rebooted multiple times.
  4. Installation (launching) of the anti-rootkit program to be tested and to attempt to disinfect the system.
  5. Analysis of the remaining files and autostart registry keys.

A dedicated clean virtual machine was used for each selected malicious program sample (step 1). After launching (installing) the anti-rootkit program and performing the disinfection, the virtual machine was restored to its initial state after step 3.