Strider GhostBuster detects API-hiding rootkits by doing a "Cross-View Diff" between "the truth" and "the lie". It's not based on a known-bad signature, and it does not rely on a known-good state. It targets the fundamental weakness of hiding rootkits, and turns the hiding behavior into its own detection mechanism. Bruce Schneier called it "Simple. Clever. Elegant."

In practice, there are three versions of Strider GhostBusters:

1. WinPE GhostBuster:
   
   • It detects hidden files and Registry entries by comparing an inside-the-box infected scan with an outside-the-box clean scan (of the same infected drive) from a WinPE CD boot.
   • See our July 2004 tech report "Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files" for a quick introduction.
   • See our December 2004 submission to DSN'05 "Detecting Stealth Software with Strider GhostBuster" for more details.
   • Read Bruce Schneier's comments on Strider GhostBuster.
   • Read Slashdot posting on Feb. 18, 2005: http://it.slashdot.org/it/05/02/18/1920244.shtml?tid=201
   • Read Slashdot posting on Feb. 23, 2005: http://it.slashdot.org/it/05/02/23/1353258.shtml?tid=172&tid=218
   • Read ComputerWorld news article
   
   
2. Inside-the-box GhostBuster
   
   • It detects hidden files by comparing a Win32 API scan with Master File Table parsing, detects hidden Registry entries by comparing a Win32 API scan with direct Registry hive file parsing, and detects hidden processes by comparing a Win32 API scan with direct traversals of the active process list and other kernel data structures.
   • See our December 2004 submission to DSN'05 "Detecting Stealth Software with Strider GhostBuster" for more details.
   
   
3. User-Mode GhostBuster
   
   • It detects hidden Registry entries and processes by comparing a Win32 API scan with an INT 2E scan.
   • See the one-page tech report "How to “Root” a Rootkit That Supports Root Processes Using Strider GhostBuster Enterprise Scanner" for a brief description of the technique. It describes how to detect user-mode hiding rootkits within a fraction of a second and, in particular, how to detect and take over Hacker Defender in 3 seconds. (See Figures 1-5 screenshots here.)
   • Fast User-Mode Rootkit Scanner for the Enterprise, in Proc. LISA, 2005.

• SysInternals RootkitRevealer, released on February 22, 2005, implements the same hidden-file and hidden-Registry detection techniques used in the Inside-the-box GhostBuster (which includes additional hidden-process and hidden-module detection techniques).
  
  
• Simple steps you can take to detect some of today's rootkit:
  1. Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.
  2. Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the results.
  3. Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding rootkit (i.e., invisible inside, but visible from outside). See Hacker Defender hidden files revealed (highlighted) for an example.
  4. Note: there will be some false positives. Also, this does not detect stealth software that hides in BIOS, Video card EEPROM, disk bad sectors, Alternate Data Streams, etc.

• Rootkit-protected Spyware
  • "Nasty new parasite discovered", search for "f0r0r"
  • "Follow up: Nasty new parasite", search for "Hacker Defender"
  
  
• Spyware turning into Ghostware
  • "CoolWebSearch (CWS) with Shield-DLL" (link now stale)

• Strider Search Ranger Spam Detection
  
• Strider URL Tracer with Typo-Patrol
  
• Strider HoneyMonkey Exploit Detection
  
• Strider Gatekeeper Spyware Management
  

Contact Us Terms of Use Trademarks Privacy Statement ©2010 Microsoft Corporation. All rights reserved.