Testing methodology used in the analysis of anti-rootkit software for the detection and removal of malicious programs.

This analysis was conducted on a specially prepared workstation running under VMware Workstation version 5.5.3. A “clean” virtual machine running under Microsoft Windows XP Service Pack 2 was cloned for each malicious program sample.

The following anti-rootkit programs participated in the testing:

1. Antivir Rootkit 1.0.1.12 Beta 3
2.  AVG Antirootkit 1.1.0.29 Beta
3. AVZ 4.23 *
4. BitDefender Antirootkit Beta 2
5. F-Secure BlackLight 2.2.1055 Beta
6. Gmer 1.0.12.12027
7. McAfee Rootkit Detective 1.0.0.41 Beta
8. Rootkit Unhooker 3.20.130.388
9. Sophos Anti-Rootkit 1.2.2
10. Trend Micro RootkitBuster 1.6.0.1055 Beta
11. UnHackMe 4.0

* AVZ is not a fully functional anti-rootkit program; it is a utility that performs a comprehensive analysis of the system.

A requirement for all anti-rootkit solutions tested was that their functionality should include not only the detection of rootkits, but also their removal (deletion / renaming of files, deletion / renaming of registry keys / sections).

Testing steps:

1. The virtual machine was infected (activation of the malicious program).
2. Verification that the virus has been successfully installed and is active.
3. The infected system was rebooted multiple times.
4. Installation (launching) of the anti-rootkit program to be tested and to attempt to disinfect the system.
5. Analysis of the remaining files and autostart registry keys.

A dedicated clean virtual machine was used for each selected malicious program sample (step 1). After launching (installing) the anti-rootkit program and performing the disinfection, the virtual machine was restored to its initial state after step 3.