Virtualisation-based Windows rootkit detector available

WINDOWS SECURITY software vendor North Security Labs is offering free downloads of its Hypersight Rootkit Detector while it's still in final testing.

The company claims that its hardware virtualisation-based hypervisor is the first fourth-generation rootkit detector.

It supports Windows 2000, Windows XP and Windows Server 2003, but support for Windows Vista and Windows Server 2008 should be forthcoming eventually. It's also constrained to running on Intel Core 2 processors at present, but the company promises that a version designed to run on AMD processors will also be developed as the product matures.

Designed to detect malicious activities attempted at the operating system kernel level, Hypersight Rootkit Detector can detect low-level, highly privileged actions impossible for ordinary antivirus programs to guard against.

Rootkits are especially dangerous because they're often impossible to detect with a general purpose antivirus product's system scan. They obfuscate their presence in the operating system by hiding and locking their operating files, modifying memory tables and process information, and installing low-level kernel drivers.

Hypersight Rootkit Detector's product description reads, in part, " Hypersight Rootkit Detector employs the innovative hardware virtualization technology implemented by Intel in their latest CPUs. The Intel VT-x technology works as a hypervisor on supported Intel CPUs, encapsulating the entire operating system into a virtual machine. All sensitive events are handled by Hypersight Rootkit Detector, which allows the product to detect, intercept and notify the user about actions that are inherent to rootkit operation."

North Security Labs' explanation of Hypersight Rootkit Detector operation says, "Hypersight Rootkit Detector intercepts and blocks attempts of software programs to run in an exclusively privileged hypervisor mode. This type of activities is inherent to rootkits that use hardware virtualization, e.g. Blue Pill or Vitriol. Hypersight Rootkit Detector also intercepts operations with memory page table as well as GDT and IDT, which in turn allows it to detect rootkits implementing stealth technologies to hide themselves in the memory of the PC (e.g. Shadow Walker)."

Hypersight Rootkit Detector will no longer be free after it's out of beta testing, but North Security Labs claims it will be well worth its as-yet unannounced price. The company says Hypersight Rootkit Detector has already outperformed similar products from other well respected security software vendors, including Rootkit Unhooker 3.31.150.420, Panda Anti-Rootkit v1.08.00, Norton Antibot 2.02, McAfee Rootkit Detective 1.0, IceSword 1.22en version for Windows 2000 / XP / 2003 / Vista, GMER 1.0.12 and AVZ 4.25. Competitive product testing was reportedly conducted using samples of the Rustock.A and Unreal.A rootkits.

The software can be downloaded here. µ