Top 4 Rootkit Detectors
After the tremendously successful 2000 and 2003
security tools surveys, Insecure.Org is delighted to
release this 2006 survey. I (Fyodor) asked users
from the nmap-hackers
mailing list to share their favorite tools, and 3,243 people
responded. This allowed me to expand the list to 100 tools, and even
subdivide them into categories. This is the category page for rootkit detectors -- the full network security list is available here. Anyone in the security field
would be well advised to go over the list and investigate tools they
are unfamiliar with. I discovered several powerful new tools this
way. I also point newbies to this site whenever they write
me saying “I don't know where to start”.
Respondents were allowed to list open source or commercial tools on
any platform. Commercial tools are noted as such in the list below.
No votes for the Nmap Security
Scanner were counted because the survey was taken on a Nmap
mailing list. This audience also biases the list slightly
toward “attack” hacking tools rather than defensive ones.
Each tool is described by one ore more attributes:
 | Did not appear on the 2003 list |
 | Generally costs money. A free limited/demo/trial version may be available. |
 | Works natively on Linux |
 | Works natively on OpenBSD, FreeBSD, Solaris, and/or other UNIX variants |
 | Works natively on Apple Mac OS X |
 | Works natively on Microsoft Windows |
 | Features a command-line interface |
 | Offers a GUI (point and click) interface |
 | Source code available for inspection. |
Please send updates and suggestions (or better tool logos) to Fyodor. If your tool is featured or you think your site visitors might enjoy this list, you are welcome to use our link banners.
Here is the list, starting with the most popular:
#1
|
Sysinternals : An extensive collection of powerful windows utilities
Sysinternals provides many small windows utilities that are quite useful for low-level windows hacking. Some are free of cost and/or include source code, while others are proprietary. Survey respondents were most enamored with: - ProcessExplorer for keeping an eye on the files and directories open by any process (like LSoF on UNIX).
- PsTools for managing (executing, suspending, killing, detailing) local and remote processes.
- Autoruns for discovering what executables are set to run during system boot up or login.
- RootkitRevealer for detecting registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
- TCPView, for viewing TCP and UDP traffic endpoints used by each process (like Netstat on UNIX).
Update: Microsoft acquired Sysinternals in July 2006, promising that “Customers will be able to continue building on Sysinternals' advanced utilities, technical information and source code”. Less than four months later, Microsoft removed most of that source code. Future product direction is uncertain.
|
#2
|
Tripwire : The grand-daddy of file integrity checkers
A file and directory integrity checker. Tripwire is a tool that aids system administrators and users in monitoring a designated set of files for any changes. Used with system files on a regular (e.g., daily) basis, Tripwire can notify system administrators of corrupted or tampered files, so damage control measures can be taken in a timely manner. An open source Linux version is freely available at Tripwire.Org. UNIX users may also want to consider AIDE, which has been designed to be a free Tripwire replacement. Or you may wish to investigate Radmind, RKHunter, or chkrootkit. Windows users may like RootkitRevealer from Sysinternals.
|
#3
|
RKHunter : An Unix Rootkit Detector
RKHunter is scanning tool that checks for signs of various pieces of nasty software on your system like rootkits, backdoors and local exploits. It runs many tests, including MD5 hash comparisons, default filenames used by rootkits, wrong file permissions for binaries, and suspicious strings in LKM and KLD modules.
|
#4
|
chkrootkit : Locally checks for signs of a rootkit
chkrootkit is a flexible, portable tool that can check for many signs of rootkit intrusion on Unix-based systems. Its features include detecting binary modification, utmp/wtmp/lastlog modifications, promiscuous interfaces, and malicious kernel modules.
|
Show All Top 100 Network Security Tools
Or view by category:
Application-Specific Scanners | Password Crackers | Encryption Tools | Disassemblers | Firewalls | Intrusion Detection Systems | Netcats | OS Detection Tools | Packet Crafting Tools | Port Scanners | Rootkit Detectors | Security-Oriented Operating Systems | Packet Sniffers | Vulnerability Exploitation Tools | Traceroute Tools | Traffic Monitoring Tools | Vulnerability Scanners | Web Vulnerability Scanners | Wireless Tools
|
Intro
