Home » Questions » Computers [ Ask a new question ]

Is there a way to find rootkits on 64-bit Windows 7

Is there a way to find rootkits on 64-bit Windows 7

I was at work and got a help desk call about a rather severe malware infection and it got me thinking about my own computer.

Asked by: Guest | Views: 32
Total answers/comments: 2
Guest [Entry]

I use combofix successfully on 64bit Vista regularly. In my experience, 64bit does take advantage of system operations regardless of whether or not application does. Although I wouldn't agree that vista 64 is 100% rootkit free, it is a lot harder to get rootkits on a 64bit OS. It is difficult for manufacturers of hardware to make drivers for 64bit still, I don't think we will see too many 64bit root kits for a while. And if you hate on 64bit get used to it, whether you like it or not, 4gb of ram will become obsolete. When it does 64bit will be required.
Guest [Entry]

"Is there a known/recommended way to do
a rootkit scan of 64-bit windows
system?

There's only two programs I trust for this:
ComboFix followed by RegDelNull.

I'm unsure however as to ComboFix 64bit support. But if you create a restore point before using it, you should be able to use the Recovery Console to restore it in case something goes wrong.

But I feel the need to make 2 points here:

1. 64-Bit craze
I'm yet to understand why the insistence on using 64-bit versions of your OSes. For all practical reasons, there is near 0 advantages in doing so. A 64-bit OS is only useful when 64-bit applications making use of the new processor features and address space are made mainstream. That is not the case. Very few applications are true 64-bit and those that are, are so only for compatibility reasons. For the most part these applications make no use of, neither they have a use for, any of these features. And then you get into trouble, as you are seeing now, when trying to obtain specialized software that may not run well under 64-bit.

2. Methods
There's no clear-cut way to do rootkit checking. Even combofix certainly adopts its own methodology which will allow for other or newer rootkits to pass by unscathed. That said, your tools of choice will always be the recovery console or booting into safe mode, where many of these rootkits will not be operating.

With that, a few firewall products offer system-level protection (I'm thinking Comodo, for instance) which will allow you to see system-level prompts informing of many changes that are occurring in your computer.

Furthermore, you should have UAC enabled at the highest level and be running from a non administrator account. That's what UAC was built for and there's really no excuse anymore to not run our Windows machines under a unprivileged account. No rootkit will ever bypass that which actually means you don't need to worry about searching for them.

Is it possible that my machine is LESS
likely to have a rootkit problem
BECAUSE I am running as 64-bit OS.
Wouldn't a rootkit have to run as a
64-bit process and isn't it likely
that right now that rootkits will not
be written to target 64-bit since it
is a smaller target audience? Is my
risk surface-area actually less?

Unfortunately no. As mentioned, 64-bit systems allow for 32-bit applications to run at any level. But attention! You do add a certain level of protection since rootkits there may be that may fail under a 64-bit OS, for many reasons; the same as many other 32-bit applications inexplicably or not do also tend to fail under 64-bit OSes. Rootkits are not immune to bugs. But that's about it.

That said, there's also the possibility of certain rootkits to start specifically targeting 64-bit systems. So you are really not anywhere more secure."