McAfee sets Rootkit Detective free

On July 26, McAfee will begin offering a new application called Rootkit Detective, designed to detect and remove dangerous rootkit attacks. The software will also help end-users ward off the threats, as well as funnel new intelligence into the company's ongoing research operations.

Following in the footsteps of SiteAdvisor -- the free Web site security program acquired by McAfee in April 2006 that warns users about potentially dangerous sites and search results -- company officials said that the new tool will be offered at no charge from its Web site via download, with benefits for both end-users and its researchers.

The freeware program promises the ability to find and remove so-called rootkits -- self-cloaking malware attacks that install themselves as kernel modules or drivers and are most often used to hide other types of threats such as keyword-logging programs -- and send data about the attacks that are discovered back to McAfee.

As greater numbers of PC users have employed more sophisticated antimalware tools in recent years, hackers have rushed to adopt the rootkit model as a means for circumventing anti-virus systems and keeping their attacks hidden on people's computers.

According to the most recent estimates released by Santa Clara, Calif.-based McAfee, more than 7,325 new rootkit variants have been discovered since the beginning of 2007, a dramatic 100 percent increase over the 3,284 rootkits the company's researchers uncovered during all of 2006.

Rootkit Detective specifically promises to find hidden kernel processes and registry entries, as well as remove them when a user reboots their system. The tool also claims the ability to test the integrity of a PC's kernel memory and track any modifications that might also highlight rootkit activity.

As part of a beta program, Rootkit Detective -- which was developed within McAfee's Avert Labs -- has already been downloaded by more than 110,000 users, including businesses and consumers, company officials said.

"Dealing with rootkits will always be an arms race; the whole process is a game of challenge-and-response between the hackers and security community, and as the authors have advanced the complexity of their attacks, we need to continually update our own technologies to keep up," said Joe Telafici, vice president of operations at McAfee Avert Labs. "We started putting rootkit detectors into our products in 2006, and this is the next stage in advancing our detection technologies."

While most rootkit-fighting programs use what Telafici labeled a "tainted view" approach to finding the attacks -- that is, comparing results of system calls to the kernel to look for potential issues -- Rootkit Detector uses a variety of means to find hidden processes and registry keys that might evade such tactics, he said.

The approach is also particularly effective at helping McAfee find new rootkit variants, based on the detailed manner in which it monitors a machine's kernel and memory, according to the researcher.

Telafici goes as far as to claim that Rootkit Detector can find and remove every known rootkit reported to its researchers thus far.