Anti-Rootkit Test for Malware Detection and Removal (December 2007)

Table of Contents:

- Introduction
- Test Results and Awards

Introduction

It has become increasingly popular for virus writers to make use of rootkit technologies. The reason for this is obvious – they make it possible to hide malicious programs and their components from PC users and antivirus programs. Numerous source codes for ready-made rootkits can be found on the Internet, which inevitably leads to their widespread use in various Trojans or spy programs (spyware/adware, keyloggers, etc.)

There are numerous specialized anti-rootkit products available for the detection and removal of these types of malicious programs. Furthermore, many antivirus developers state that their products include a function to detect active rootkits. 

The aim of this test is to evaluate the ability of the most popular antivirus and anti-rootkit products to detect and remove malicious programs (‘in-the-wild’ samples) that use rootkit technologies and actively circulate over the Internet, as well as checking proactive detection capabilities to detect proof-of-concept rootkits hidden on a system.

It should be noted that although testing of in-the-wild malware samples is of real practical use, there is also a great deal of research value in ascertaining the capabilities of proactive detection when combating the hidden threat of rootkits.

• Methodology of Anti-Rootkits Test for Malware Detection and Removal Â»
• Awards Guide for Rootkits Detection and Removal Test» 

It has become increasingly popular for virus writers to make use of rootkit technologies. The reason for this is obvious – they make it possible to hide malicious programs and their components from PC users and antivirus programs. Numerous source codes for ready-made rootkits can be found on the Internet, which inevitably leads to their widespread use in various Trojans or spy programs (spyware/adware, keyloggers, etc.)

A rootkit is a program for concealing any trace of malware on a system. The use of rootkit technologies allows a malicious program to hide its activities on the victim’s computer by masking files and processes, as well as its presence on a system.

There are numerous specialized anti-rootkit software products available for the detection and removal of these types of malicious programs. Furthermore, many antivirus developers state that their products include a function to detect active rootkits. 

The aim of this test is to evaluate the ability of the most popular antivirus and anti-rootkit products to detect and delete malicious programs using rootkit technologies that are widespread throughout the Internet (in the wild). In addition, the test evaluated the ability of proactive detection to detect programs concealing their presence on a system. This was achieved using proof-of-concept rootkits that make use of different methods to conceal themselves.  

The use of common in-the-wild malware samples during testing gives an idea of how well the software solutions deal with known rootkits; proof-of-concept testing shows how capable they are at detecting unknown rootkits.  

Eight antivirus programs and 8 specialized anti-rootkit products, selected in line with the methodology, participated in the test.

Antivirus programs tested:

1. BitDefender Antivirus 2008
2. Dr.Web 4.44
3. F-Secure Anti-Virus 2008
4. Kaspersky Anti-Virus 7.0
5. McAfee VirusScan Plus 200
6. ESET NOD32 Anti-Virus 3.0
7. Symantec Anti-Virus 2008
8. Trend Micro Antivirus plus Antispyware 2008

Anti-rootkit programs tested:

1. AVG Anti-Rootkit 1.1
2. Avira Rootkit Detection 1.00.01.1
3. GMER 1.0.13
4. McAfee Rootkit Detective 1.1
5. Panda AntiRootkit 1.0
6. RkU 3.7
7. Sophos Anti-Rootkit 1.3
8. Trend Micro RootkitBuster 1.6

The test was conducted using six malicious programs, each of which used its own concealment method on a system, and four proof-of-concept rootkits. The sample collection was created in accordance with the specified requirements, the most important of which was that all the methods of concealment on a system had to be included.

Malicious programs used in the test:

1. Trojan-Spy.Win32.Goldun.hn
2. Trojan-Proxy.Win32.Wopla.ag
3. SpamTool.Win32.Mailbot.bd
4. Monitor.Win32.EliteKeylogger.21
5. Rootkit.Win32.Agent.ea
6. Rootkit.Win32.Podnuha.a

Proof-of-concept rootkits used in the test:

1. Unreal A (v1.0.1.0)
2. RkDemo v1.2
3. FuTo
4. HideToolz

Testing was performed on a Windows XP SP2 operating system from 15 October to 10 December 2007 strictly in line with the specified methodology to evaluate the ability of the antivirus and anti-rootkit programs to detect malware with hidden rootkits and proof-of-concept rootkits. 

Test Results and Awards

The results in tables 1-2 show how the antivirus and anti-rootkit programs fared when detecting malicious programs that contained rootkit technologies.

According to the award scheme, 1 point (+/+) was scored if a rootkit was successfully detected on the system (file, process or function hook) and deleted.

0.5 points (+/-) were scored if a rootkit was successfully detected on the system, but couldn’t be deleted.

And finally, if a rootkit was not detected on the system (-/-), no points were scored.

Table 1: Test results for the detection and removal of malware with rootkit technologies by antivirus/anti-rootkit software (part 1)

Table 2: Test results for the detection and removal of malware with rootkit technologies by antivirus/anti-rootkit software (part 2)

Among the antivirus programs the best performers were Dr.Web, Kaspersky Anti-Virus and Symantec Anti-Virus, who scored between 4 and 5 points out of a possible total of 6.

As for the specialized anti-rootkit products, almost all of them were highly effective apart from McAfee Rootkit Detective. Rootkit Unhooker and GMER in particular deserve a mention; with their scores of 5.5 they came out on top of our test for detecting malicious programs with rootkit technologies.

The results in table 3 show how the antivirus and anti-rootkit programs fared when using proactive detection to detect proof-of-concept rootkits. Due to the fact that concept rootkits do not represent a threat to users, only the ability to detect them was scored (0.5 points for each successful detection). 

Table 3: Test results for the detection of proof-of-concept rootkits by antivirus/anti-rootkit software

The results for the proof-of-concept rootkit samples demonstrate that Kaspersky Anti-Virus and F-Secure Anti-Virus were the only antivirus products to pass the proactive detection test.

The specialized anti-rootkit products were all capable, to a greater or lesser extent, of proactive detection of rootkits. Kaspersky Anti-Virus and Rootkit Unhooker proved to be best in this area of the test, with both products detecting all the proof-of-concept rootkits.

The final results of all the products that took part in the test and the awards they received are shown in table 4.

Table 4: Test results for antivirus/anti-rootkit products

Antivirus/anti-rootkit	Award	Total points
		Malicious programs (6 max)	Proof-of-concept rootkits (2 max)	Total (max 8)
Rootkit Unhooker 3.7.300	Gold Anti-Rootkit Protection Award	5.5	2	7.5
GMER 1.0.13		5.5	1.5	7
Kaspersky Anti-Virus 7.0		4.5	2	6.5
Avira Rootkit Detection 1.0		5	1.5	6.5
AVG Anti-Rootkit 1.1	Silver Anti-Rootkit Protection Award	4	1.5	5.5
Panda AntiRootkit 1.08		4	1.5	5.5
Sophos Anti-Rootkit 1.3.1		4.5	1	5.5
Dr.Web 4.44		5	0	5
TrendMicro RootkitBuster 1.6		4	1	5
Symantec Anti-Virus 2008	Bronze Anti-Rootkit Protection Award	4	0.5	4.5
F-Secure Anti-Virus 2008		2.5	1.5	4
McAfee Rootkit Detective 1.1		3	0.5	3.5
BitDefender Antivirus 2008	Failed	3	0	3
McAfee VirusScan Plus 2008		1.5	0	1.5
ESET NOD32 Anti-Virus 3.0		1	0	1
Trend Micro Antivirus plus Antispyware 2008		1	0	1

The results show that the products that specialize specifically in combating rootkits were on the whole more effective than antivirus products. Of the antivirus products only Kaspersky Anti-Virus, Dr.Web, Symantec Anti-Virus and F-Secure Anti-Virus achieved good results (see table 5).

The only antivirus product to win the highest Gold Anti-Rootkit Protection Award was Kaspersky Anti-Virus, which scored 6.5 out of a possible 8. The antivirus product Dr.Web received the Silver Anti-Rootkit Protection Award.

Symantec Anti-Virus and F-Secure Anti-Virus both earned the Bronze Anti-Rootkit Protection Award, but the other antivirus products (BitDefender Antivirus, McAfee VirusScan Plus, ESET NOD32 Anti-Virus and Trend Micro Antivirus plus Antispyware) failed to pass the test. 

Table 5: Test results for antivirus products

As far as the specialized anti-rootkit products were concerned, the best performer was Rootkit Unhooker, which also achieved the best test result overall, scoring 7.5 out of a possible 8 and receiving the Gold Anti-Rootkit Protection Award (see table 6). GMER (just 0.5 points behind the winner) and Avira Rootkit Detection (6.5 points out of 8) also received the top award.

AVG Anti-Rootkit, Panda AntiRootkit, Sophos Anti-Rootkit and Trend Micro RootkitBuster all received the Silver Anti-Rootkit Protection Award. The first three from that group – AVG, Panda and Sophos – all scored 5.5 out of 8, while TrendMicro scored 5.

The last award winner was McAfee Rootkit Detective with a score of 3.5, earning the Bronze Anti-Rootkit Protection Award.

All the specialized anti-rootkit products fared well in the test, fulfilling their specified functions. None of the anti-rootkit products failed the test.   

Table 6: Test results for Anti-rootkit products

To view the test results for each product in more detail, you can download the results in Microsoft Excel format.