Quick Links|Home|Worldwide
Search for

Search Quality & Cyber-Intelligence Lab (SQ-CIL)

Spam Double-Funnel: Connecting Web Spammers with Advertisers


Strider GhostBuster Rootkit Detection

Strider GhostBuster detects API-hiding rootkits by doing a "cross-view diff" between "the truth" and "the lie". It's not based on a known-bad signature, and it does not rely on a known-good state. It targets the fundamental weakness of hiding rootkits, and turns the hiding behavior into its own detection mechanism. There are three versions of Strider GhostBusters:

  1. WinPE GhostBuster:
  2. Inside-the-box GhostBuster
    • It detects hidden files by comparing a Win32 API scan with Master File Table parsing, detects hidden Registry entries by comparing a Win32 API scan with direct Registry hive file parsing, and detects hidden processes by comparing a Win32 API scan with direct traversals of the active process list and other kernel data structures.
    • See our December 2004 submission to DSN'05 "Detecting Stealth Software with Strider GhostBuster" for more details.

  3. User-Mode GhostBuster


  • SysInternals RootkitRevealer, released on February 22, 2005, implements the same hidden-file and hidden-Registry detection techniques used in the Inside-the-box GhostBuster (which includes additional hidden-process and hidden-module detection techniques).
  • Simple steps you can take to detect some of today's ghostware:
    1. Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.
    2. Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results.
    3. Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding ghostware (i.e., invisible inside, but visible from outside). See Hacker Defender ghostware files revealed (highlighted) for an example.
    4. Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc.


Publications (see the up-to-date list)

©2008 Microsoft Corporation. All rights reserved. Terms of Use |Trademarks |Privacy Statement