Posted on

Rootkit Revealer

Old Version of Rootkit Revealer

Date Released: November 1, 2006
File Size: 408 KB
Publisher: Mark Russinovich
License: Freeware
Operation Systems: Microsoft Windows
Category: Internet
Versions: 1.0 – 1.7
Last Updated: January 20, 2020
The RootkitRevealer is a tool that is used for rootkit detection. A rootkit is a software program that is designed to hide, or obscure the fact that a computer system has been compromised. The RootkitRevealer runs on Microsoft NT version 4 and later operating systems. Its output generates registry and file system differences that can indicate the presence of a rootkit.
The RootkitRevealer was the first tool that detected Sony’s XCP rootkit. The XCP (Extended Copy Protection) was a digital rights management scheme that Sony bought for protecting their audio compact disks. It contained the same techniques that computer hackers were using to conceal unauthorized activities on a computer system and so it became a major problem for the Sony Corporation.  The public was so up in arms after the discovery of it being installed without the knowledge of the computer owner that Sony had to discontinue use of the system.
Old-Version-Rootkit Revealer
There was a time that the RootkitRevealer could be run from the command line, but because the malware authors started targeting its scan by using the Revealer’s executable name, they had to reinvent a new system. Sysinternals, a division of Microsoft, change the product to execute its scan from a randomly named copy of itself that now runs as a Windows service.
The first version of the RootkitRevealer came out around February 2005 and it was basically a scanner that compared the results of a system scan at the highest level of the operating system with a scan of the lowest level looking for differences that would indicate a change to the system.
In June of 2005 RootkitRevealer version 1.5 was released and it contained a more sophisticated rootkit detection mechanism. In December, Version 1.60 was released adding additional support for rootkits such as AFX, Vanquish, and HackerDefender.
In late 2006, version 1.70 was released. It updated the RootkitRevealer to plug some problems that malware authors found to circumvent the scans of the 1.6 version. This is the version that included the replacement of command line version that could compromise the executable’s name.
If you think that your computer system has been compromised, if you think that your computer is running too slow, if your computer is having problems, then you should try the RootkitRevealer on your system.