What is Hypersight Rootkit Detector?
Hypersight Rootkit Detector is the world’s first Fourth-Generation rootkit detector. The product detects malicious activities in the operating system kernel. The low-level, highly privileged malicious processes are impossible to be detected with general-use antivirus programs that are executed under much lower privilege levels. Hypersight Rootkit Detector supports Windows 2000, Windows XP, and Windows Server 2003. The current version supports Intel Core 2 and AMD-V CPUs.
Why do I need Hypersight Rootkit Detector?
You need Hypersight Rootkit Detector to protect your private information and your computer against a recently appeared type of malware called rootkits. The technologies used by the hackers to develop these rootkits have evolved to a sophisticated level, making them hard or even impossible to detect by regular antivirus programs. The rootkits give malicious users the ability to intercept sensitive information such as passwords, financial and corporate information, credit card details and private data, while remaining unnoticed by the computer user.
Rootkits are complex technology. They are often custom-created before each attack, making them impossible to detect by using regular signature search employed by general-use antivirus programs. While you may feel well protected by your regularly updated antivirus, the illusion of safety disappears the very moment your credit card or bank account info appears on the Internet, your private or corporate documentation gets stolen, or when you receive a bill for a credit card you never applied for. That is why we highly recommend installing Hypersight Rootkit Detector right away to defend yourself against the worst case scenario.
Presently, Hypersight Rootkit Detector is available as a pre-release preview.
Rootkits are a new generation of malware that are impossible to detect by performing a regular system scan. Rootkits hide their presence in the operating system by hiding or locking their files, modifying process information, or even installing low-level drivers into the system kernel. Generally speaking, rootkits are extremely dangerous stealth viruses.
More information about rootkits is available at Wikipedia.
How rootkits are detected?
Hypersight Rootkit Detector employs the innovative hardware virtualization technology implemented by Intel in their latest CPUs. The Intel VT-x technology works as a hypervisor on supported Intel CPUs, encapsulating the entire operating system into a virtual machine. All sensitive events are handled by Hypersight Rootkit Detector, which allows the product to detect, intercept and notify the user about actions that are inherent to rootkit operation.
More information on rootkit detection is available in the whitepaper.
What’s the difference between an antivirus and Hypersight Rootkit Detector?
An antivirus scans files on your computer to detect the presence of signatures characteristic to known or heuristically detected viruses. Unfortunately, the rootkits mask their presence by either hiding the files from the scanner or by actively refusing file access when requested by the scanner.
Rootkit detectors are a specific class of antivirus programs. Hypersight Rootkit Detector is a new addition to the class.
Unfortunately, not all rootkit detectors are created equal. In order to test Hypersight Rootkit Detector on a sample of real rootkits, we performed a test. In our test, we infected a PC with Rustock.A and Unreal.A rootkits, and rebooted the PC. After rebooting we ran several rootkit detectors, rebooting the PC as necessary. The results are provided in a table.
|
Rootkit detector |
Detecting Rustock.A |
Detecting Unreal.A |
| Rootkit Unhooker 3.31.150.420 |
Detected hooks installed by the rootkit. Rootkit file name not detected. |
Detected hooks installed by the rootkit. Rootkit file name not detected. |
| Panda Anti-Rootkit v1.08.00 |
Detected a hidden file and a hidden registry key. Detected rootkit file name. |
Rootkit not detected |
| Norton Antibot 2.02 |
Rootkit not detected |
Rootkit not detected |
| McAfee Rootkit Detective 1.0 |
Rootkit not detected |
Rootkit not detected |
| IceSword 1.22en version for 2000/xp/2003/vista |
Detected hooks installed by the rootkit. Rootkit file name not detected. |
Detected hooks installed by the rootkit. Rootkit file name not detected. |
| GMER 1.0.12 |
Detected one of the hooks installed by the rootkit. Rootkit file name not detected. |
Rootkit not detected |
| AVZ 4.25 |
Rootkit not detected |
Rootkit not detected |
| Hypersight RD 0.1.478 |
Detected hooks installed by the rootkit. Detected attempts to modify bit CR0. WP on code modification. Detected rootkit file name. |
Detected attempts to modify bit CR0. WP on code modification. Detected rootkit file name. |
As a result, only Hypersight Rootkit Detector was able to identify files that contained both rootkits. This is exactly the information required to remove rootkits from the PC; therefore, Hypersight Rootkit Detector demonstrated the best result.
Hypersight Rootkit Detector intercepts and blocks attempts of software programs to run in an exclusively privileged hypervisor mode. This type of activities is inherent to rootkits that use hardware virtualization, e.g. Blue Pill or Vitriol. Hypersight Rootkit Detector also intercepts operations with memory page table as well as GDT and IDT, which in turn allows it to detect rootkits implementing stealth technologies to hide themselves in the memory of the PC (e.g. Shadow Walker).
ATTENTION!
Some antivirus products implement all sorts of dirty tricks such as intercepting system calls and modifying system structures. Hypersight Rootkit Detector treats such attempts as rootkit activities. The files attempting such operations will be logged by Hypersight Rootkit Detector. Make sure to scan these files with an antivirus scanner. If these files are invisible to your antivirus scanner, and don’t appear in Windows Explorer, they are most certainly rootkits.