Rootkit Revealer Absorbed by Microsoft

The little software utility that uncovered the presence of Sony's stealth DRM hiding like a rootkit inside a security engineer's computer, and that triggered the chain of events that eventually led to the annulment ruling of a multi-billion-dollar merger between Sony and BMG Music, is now a Microsoft product.

Mark Russinovich's Rootkit Revealer, along with a multitude of his other Sysinternals tools, are now available for download as Microsoft products. The transfer of Russinovich's many assets from his original, independent Sysinternals blog to his new home on Microsoft TechNet is now complete, having begun last July. New documentation for Rootkit Revealer 1.7 was posted earlier this week.

Typically, a rootkit is used for malicious purposes, hiding itself within a specific location in memory, and deflecting API calls that would otherwise detect it to point to different locations. This way, programs can be executing without being reported by Windows Task Manager, and thus without an easy way for the user to terminate them.

Such programs, by the original definition of a rootkit, can make contact to a remote server through the Internet, and accept commands from that server.

Some years ago, music publisher Sony BMG installed a DRM protection mechanism on its music CDs, that was capable of installing itself on Windows users' systems when those CDs were played through CD-ROM drives. The mechanism, developed by a company called First 4 Internet, used a stealth technique inspired by rootkits to cloak itself from Task Manager and from other Windows API calls.

When Russinovich was testing his own Rootkit Revealer product on one of his systems last year, he found the First 4 Internet routine and suspected that it was malicious. Through a systematic investigation of his system that could perhaps be achieved by no other security engineer known to humankind, he turned up the culprit and reported it to his Web site.

The result was nothing less than a public unraveling of a corporation, not because it had malevolent interests but because it was simply two or three steps behind the very technology it set loose upon the world.

As Russinovich writes for Microsoft this week, version 1.7 of Rootkit Revealer no longer includes a command-line-driven form of the product, as Microsoft had discovered malware writers were targeting it by name for deletion (and, perhaps, for replacement) using malicious scripts.

Meanwhile, today marks the release of what could become Russinovich's piece de resistence: a unified observation tool with the Microsoft-sounding name Process Monitor. While it incorporates much of the functionality found in his familiar Regmon and Filemon tools, such as real-time monitoring of calls placed to the System Registry and to the file system, he describes it today as rewritten "from the ground up" as a comprehensive monitor of system activity, with a fine-granularity logging tool built in.

Like everything else Russinovich has ever distributed, there's no complex setup with Process Monitor - just unzip it and run it. On a dual-core system, easily more system events can be generated than Process Monitor can actually find the time to display, so it's constantly tens of thousands of events behind the number of events generated. Which is why you use a comprehensive filter to cut through the blinding speed at which events take place, to narrow down the list to those you may find suspicious.

If you're wondering what techniques to use for such a tool, take a look through Russinovich's newly transported blog, which contains more than six years of personal stories of tracking down the more obscure and clever malicious threads, and simply outwitting them through perseverance and vigilance.