In my February 21, 2005 article “Kernel Rootkits - next bad thing?” I reported that undetectable rootkits may be the next spyware/malware paradigm and that Microsoft researchers had developed a tool, named “Strider Ghostbuster” that can detect them.

A day later, the good folks at Sysinternals released RootkitRevealer 1.4, which I now consider a vital weapon in my security arsenal:

RootkitRevealer is an advanced patent-pending root kit detection utility. It runs on Windows NT 4 and higher and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all persistent rootkits published at rootkit.com…

To my knowledge, Strider Ghostbuster hasn’t been released yet, but Microsoft mentions using RootkitRevealer on its rootkit research site. That site has some excellent references and tips on dealing with ghostware.