Strider GhostBuster Rootkit Detection
Last Updated: January 28, 2010
The Strider Family:
[Flight Data Recorder]
[Patch Impact Analyzer]
See Strider at Assembling an All-Star Team of Research Talent
and Imagining What Comes Next
Strider GhostBuster detects API-hiding rootkits by doing a "Cross-View Diff"
between "the truth" and "the lie". It's not based on a known-bad signature, and
it does not rely on a known-good state.
It targets the fundamental weakness of hiding rootkits, and turns the hiding behavior into its own detection mechanism. Bruce Schneier called it "Simple. Clever. Elegant."
In practice, there are three versions of Strider GhostBusters:
- WinPE GhostBuster:
- Inside-the-box GhostBuster
- It detects hidden files by comparing a Win32 API scan with Master File Table parsing,
detects hidden Registry entries by comparing a Win32 API scan with direct Registry hive file parsing,
and detects hidden processes by comparing a Win32 API scan with direct traversals of the active process list and other kernel data structures.
- See our December 2004 submission to DSN'05
"Detecting Stealth Software with Strider GhostBuster" for more details.
- User-Mode GhostBuster
released on February 22, 2005,
implements the same hidden-file and hidden-Registry detection techniques
used in the Inside-the-box GhostBuster (which includes additional hidden-process and
hidden-module detection techniques).
- Simple steps you can take to detect some of today's rootkit:
- Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS
and save the results.
- Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive,
and save the results.
- Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding
rootkit (i.e., invisible inside, but visible from outside). See
Hacker Defender hidden files revealed (highlighted) for an example.
- Note: there will be some false positives. Also, this does not detect stealth
software that hides in BIOS, Video card EEPROM, disk bad sectors,
Alternate Data Streams, etc.
- Rootkit-protected Spyware
- Spyware turning into Ghostware
- Yi-Min Wang, Roussi Roussev, Chad Verbowski, Aaron Johnson, Ming-Wei Wu,
Yennun Huang, and Sy-Yen Kuo,
"Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management",
in Proc. Usenix LISA, 2004
- Yi-Min Wang, Roussi Roussev, Chad Verbowski, Aaron Johnson, and David Ladd,
"AskStrider: What Has Changed on My Machine Lately?",
Microsoft Research Technical Report MSR-TR-2004-03, Jan. 2004.
- Yi-Min Wang, Binh Vo, Roussi Roussev, Chad Verbowski, and Aaron Johnson,
"Strider GhostBuster: Why It\’s A Bad Idea For Stealth Software To Hide Files",
Microsoft Research Technical Report MSR-TR-2004-71, July 2004.
- Yi-Min Wang, Doug Beck, Binh Vo, Roussi Roussev, and Chad Verbowski,
"Detecting Stealth Software with Strider GhostBuster,"
Microsoft Research Technical Report MSR-TR-2005-25, February 21, 2005
(submitted to DSN-2005 on December 13, 2004).
Int. Conf. on Dependable Systems and Networks (DSN-DCCS),
- Yi-Min Wang and Doug Beck,
"How to \"Root\" a Rootkit That Supports Root Processes
Using Strider GhostBuster Enterprise Scanner,"
Microsoft Research Technical Report MSR-TR-2005-21, February 11, 2005.