Re: Rootkit discovery tools

[David Taylor <ltr () ISC UPENN EDU>]

I don¹t know which tool would be the best at detecting most of the rootkits
but there are also some manual ways to check for them if you are interested..
I use these techniques for Windows systems.

Since rootkits often hide files, registry settings and network ports from
the system you can often check these externally to see if something shows up
from the outside that doesn¹t show up on the inside.

These methods may or may not be helpful to your current situation but
thought I would forward to the list in the event someone does find it
useful.

Do a netstat ­nao on the local machine and then do a remote port scan with a
tool such as nmap.  If something shows up in the nmap scan that doesn¹t show
as listening on the netstat there is likely a rootkit.

Also, connecting the the remote system with computer manager will let you
see hidden services.  Open the services on the local machine and compare to
the remote listing.  This goes for the registry as well