Anti-Rootkit Test for Malware Detection and Removal (March 2007)

 

Table of Contens:

- Introduction
- Test Results and Awards

 

Introduction

Rootkit technologies have become increasingly popular with virus writers. The reason for this is obvious: they conceal malicious programs and their components from PC users and antivirus programs. The source code for some rootkits can be found on the Internet, inevitably resulting in the use of rootkit technology in various Trojans and spy programs (spyware / adware, keyloggers, etc.).

There are a large number of dedicated software products (anti-rootkit solutions) that are designed to detect and remove such kinds of malicious programs.

The purpose of this test is to analyze the ability of the most popular anti-rootkit products to detect and remove malicious programs actively distributed over the Internet (“in the wild” samples) that take advantage of rootkit technology. 

It should be noted that anti-rootkit software is usually tested on various test or proof of concept rootkits, while testing on widespread in the wild samples is what provides the most valuable information.

Methodology for Anti-Rootkit Test for Detection and Removal »
Awards Guide for Rootkits Detection and Removal Test »

The following 11 dedicated products for the detection and removal of programs that conceal their presence in the system (rootkits) were tested:

  1. Antivir Rootkit 1.0.1.12 Beta 3
  2. AVG Antirootkit 1.1.0.29 Beta
  3. Trend Micro RootkitBuster 1.6.0.1055 Beta
  4. McAfee Rootkit Detective 1.0.0.41 Beta
  5. Rootkit Unhooker 3.20.130.388
  6. F-Secure BlackLight 2.2.1055 Beta
  7. Sophos Anti-Rootkit 1.2.2
  8. AVZ 4.23
  9. Gmer 1.0.12.12027
  10. Bitdefender Antirootkit 1.2.0.0 Beta2
  11. UnHackMe 4.0

 

The anti-rootkit products were tested on the following malicious programs selected according to the criteria described above:

  1. Backdoor.Win32.Haxdoor.fd
  2. Backdoor.Win32.Padodor.ax
  3. Monitor.Win32.EliteKeylogger.21
  4. Monitor.Win32.SpyLantern.530
  5. Trojan-Clicker.Win32.Costrat.af
  6. Trojan-Proxy.Win32.Agent.lb
  7. Trojan-Spy.Win32.Goldun.np
  8. Trojan.Win32.DNSChanger.ih
  9.  Worm.Win32.Feebs.gt

The names of the malicious programs used in this report are based on the Kaspersky Lab classification; alternative names used by other vendors can be found in the detailed testing report.

Testing of the ability of anti-rootkit programs to detect and remove malicious programs was conducted strictly in accordance with the methodology described above.

 

Test Results and Awards

 

Table 1: Results of testing for malicious program detection and removal by anti-rootkit solutions 

Anti-rootkit solution
Successfully detected and removed Rootkit not detected or removal failed
Completely removed Traces of infection remaining*
Antivir Rootkit 1.0.1.12 Beta3 7 2 0
AVG Antirootkit 1.1.0.29 Beta 6 3 0
AVZ 4.23 ** 4 4 1
Bitdefender Antirootkit 1.2.0.0 Beta2 1 5 3
F-Secure BlackLight 2.2.1055 Beta 6 2 1
Gmer 1.0.12.12027 1 5 3
McAfee Rootkit Detective 1.0.0.41 Beta 7 1 1
Rootkit Unhooker 3.20.130.388 7 1 1
Sophos Anti-Rootkit 1.2.2 6 2 1
Trend Micro RootkitBuster 1.6.0.1055 Beta 5 4 0
UnHackMe 4.0 0 2

 

Table 2: Summary of anti-rootkit testing results 

Award Products
Excellent
9 out of 9
Antivir Rootkit 1.0 Beta 3
AVG Antirootkit 1.1 Beta
Trend Micro RootkitBuster 1.6 Beta
Good
8 out of 9   
McAfee Rootkit Detective 1.0 Beta
Rootkit Unhooker 3.2
F-Secure BlackLight 2.2 Beta
Sophos Anti-Rootkit 1.2
AVZ 4.23
Poor results: Gmer 1.0 (6 out of 9)
Bitdefender Antirootkit 1.2 Beta2 (6 out of 9)
UnHackMe 4.0 (2 out of 9)

  

Table 3: Summary of anti-rootkit testing results (released products only) 

Award
Products
Good
8 out of 9   
Rootkit Unhooker 3.2
Sophos Anti-Rootkit 1.2
AVZ 4.23
Poor results: Gmer 1.0 (6 out of 9)
UnHackMe 4.0 (2 out of 9)

 

Almost all of the anti-rootkit solutions tested, with the exception of Gmer, Bitdefender Antirootkit and UnHackMe, demonstrated excellent or good results and can be successfully used to detect and remove malicious programs that use rootkit technologies to conceal their presence in the system.

It should be noted that some anti-rootkit solutions had problems removing (or renaming) the files detected and protecting their own processes. The principal reason for this is that, in addition to rootkit technologies, virus writers use other methods to protect their malicious programs. For example, Worm.Win32.Feebs.gt creates a hidden process that it uses as bait. When an anti-rootkit solution attempts to open this process, the worm terminates the anti-rootkit program’s process. Another widely used method is opening malicious program files with protected access rights.

The three best products based on the test results were Antivir Rootkit, AVG Antirootkit and Trend Micro RootkitBuster. All three products are currently in beta testing. Among those products which have already been commercially released, the best results were achieved by Rootkit Unhooker, Sophos Anti-Rootkit and AVZ.

For detailed test results, including information on the removal of specific viruses, and to verify the calculations used to determine the test results, please download the complete results in Microsoft Excel format.

AttachmentSize
test_antirootkits_en.xls48 KB