IceSword…The Best Rootkit Defender?

Filed under Downloads, Security News, Security Programs, Windows

IceSword 1.2

Look out people! Over the past few months people have heard more and more about rootikits. I’ve been dealing with rootkits for some time now and after having numerous friends infected by Sony’s rootkit, I decided it’s time to help educate the prey. Now, hopefully you’re not sitting there saying, “Prey?? I use Norton Internet Security and if your suggestion that a rootkit can bypass that, I have news for you!” My response would be a standard “laugh out loud” followed by blocking your IP from my website. No, seriously regardless of your current protection, it’s not enough. Rootkits change on a regular basis to bypass AntiVirus software along with the popular antirootkit software.

I recommend using 3 useful rootkit utilties in your hunt for the invisable rootkit. I do not recommend only using one of the three, or even two of the three. I say three, for the fact that incase the nifty rootkit infecting your system was updated to bypass one or two of my recommendation, you would have a 3rd opinion. Now that I’ve explained myself and hopefully conveinced you to install, update, and run these utilties on a weekly basis we’ll move forward with testing.

Note: Click links below to download software.

Our Test Enviornment:
- Windows XP SP2 (fully updated)
- Sygate Personal Firewall Professional (.dll injection detection)
- Kaspersky AntiVirus Professional (script detection)
- All-Seeing Eye (Best system monioring tool around)
- Spyware and other tools not listed.

Programs under the spotlight:
- Rootkit Revealer [info] | [download]
- BlackLight [info] | [download]
- IceSword English [info] | [download]

Rootkit under oath:
Lil Rob’s album “Twelve Eighteen” released by Upstairs Records.

Results:
All 3 softare programs detect the rootkit, however none of them removed it. Blacklight allows you to rename the files, but the junk is still there. Rootkit Revealer lets you know where all the files are so you can manually remove the files in DOS and the registry entries using PSEXEC. Finally my personal favorite IceSword, this program displays a lot more information than the other two, however it’s for more advance users. On this note, exactly why I recommend using ALL three for detection and IceSword for advance removal.

I’m interested to hear what others think about IceSword and your techniques for battling rootkits!

42 Comments

  1. Mange says:

    The link to the english sword version is wrong it should be: http://xfocus.net/tools/200509/IceSword_en1.12.rar

    Response from TechSec Admin:

    I apologize. updated. Thank You!

  2. x says:

    If you detect a rootkit on your system, you need to reformat and reinstall. Period.

    I find it funny that you didn’t mention this. You acknowledge that rootkit authors are always adapting and improving their software … yet you fail to realize the obvious.

    If I were a rootkit author, one approach I might consider would be to purposely show some files to a anti-rootkit utility. Then, I’d hide the real rootkit files using a method the anti-rootkit software didn’t anticipate. The hapless anti-rootkit user would remove the benign files, and smile … and so would I.

    P.S. Mark Russinovich agrees with me about reformatting. And when he says it, it is not the standard “I’ll tell you to go overboard just to cover my ass” disclaimer–he means it.

    Admin Comment:
    “Reformat and reinstall period” – I agree on formatting if a rootkit is detected. However, the point of my post was to point out rootkits and use Sony’s high profile rootkit to grab a larger audience and educate users on rootkits. Until Sony’s rootkit discovery, the average ‘joe’ had no idea what a rootkit was.

  3. evencarm says:

    ..? Why, if you’re able to write a rootkit that cant be detected, would you want to attract attention by installing a ‘dummy’ rootkit? Especially when the recommended ‘teatment’ is a reformat..
    Makes little sense to me

    Site Admin:Reformatting is to ensure everything is cleared up and not causing any conflicts. However, if you take the proper steps in prevention, reformatting won’t be needed, for the rootkit will never make it on your system.

    A rootkit that cannot be detected only last so long, so what Rootkit Revealer cannot detect today, will be detected in a future release, SONY’s rootkit is a perfect example. The author of Rootkit Revealer, didn’t detect that rootkit until he updated his program, then it detected it.

    No offense, but it’s obvious why this make little sense to you.

  4. Craig says:

    I’ve downlaoded this about half a dozen times and none of the files will run on my system- Win XP Sp-2 – I get a message ‘initialization error”

    I even tried the older Chinese language version and … same result!

    Has this happened to anyone else?

  5. Erikalbert says:

    The latest icesword version as I write this is version 1.18. The latest english version is 1.16.

    Another good anti-rootkit detector that is from China is darkspy. It can detect the latest versions of futo that hide from Icesword. There’s an english version available for 1.0. Does not work on multi-cpus. If you have hyperthreading, it needs to be turned off too.

  6. Simon says:

    Hi,
    ordinary non techie computer users will have such a hard time when it comes to rootkits.

    First of all understanding them and second of all either removing them or wiping their PC will be such a massive feat for them.

    It is even getting scarier with BIOS rootkits and also VM Rootkits Proof of concept recently…where will it all end.

    In addition to the software you mention you can find more and new scanners at http://www.antirootkit.com

    regards

    Simon

  7. Charles says:

    Mass of data and rootkit detection products of which many are free on sysinternals with many links http://www.sysinternals.com/Forum/forum_posts.asp?TID=962&PN=2

    Charles

  8. Mark says:

    The lastest icesword version 1.18 is much better than 1.12. It’s my favorite tool. I think the Futo rootkit is not strong enough.

  9. Miriam Cook says:

    I’ve been trying to dnld Ice Sword, but don’t have Jave Script & don’t know how to dnld it safely. Please help. I’ve read a lote about Ice Sword which is a great app. and I want it. Miriam

  10. michael says:

    ice Site. Could use more of these instead of the many trash blogs on the web.

  11. elizabeth says:

    Thenks, good work!

  12. Robbie says:

    Hi Guys,
    I have tried UnHackMe and Icesword. In my experience UnHackMe was useless. Icesword showed problems that UnHackMe said did not exist. I like Icesword but we need some documentation on what to do with the information that it provides. How do you get rid of junk that it finds in SSDT?

  13. Chris says:

    Howdy,
    Another freely available rootkit detector is Sophos Anti-Rootkit. It’s available at:
    http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

  14. Memo says:

    I tried that online Sophos thingamabobby and it crapped on my profile. I was locked out of everything. Half of my registry is inaccessible. I’ve been trying to use IceSword to clean up some of the mess. Anyone know a program that let’s you change permissions of registry entries? IceSword at least lets me delete them. Thanks

  15. Martin Guy says:

    Er… all this talk about rootkit detectors is very nice, but wouldn’t you gain a greater advantage from switching from Windows to an operating system than is not riddled with security holes and basically undefensible?
    These attempts are very clever, but it always seems rather self-defeating, like adding more and more layers of scaffolding to prop up a house made of paper and straw. We do have log cabins, bricks and mortar these days, if not steel and glass yet…

    M

  16. victor says:

    Amazingly this article is almost a year and a half old and I barely heard about rootkits in terms of malware, let alone all the ANTI-rootkits. Now I wonder how many more Internet security flaws and vulernabilities there are. Always something new it seems.

    Nationwide VPN

  17. Zodd says:

    It would be wise to be cautious with Ice sword. It’s a Chinese developed product and the root software is locked. Be careful not to become a victim by installing it and later find you are the prey!

  18. Idetrorce says:

    very interesting, but I don’t agree with you
    Idetrorce

  19. zaas says:

    Thanks bro! Real good work!

  20. as1m says:

    “It would be wise to be cautious with Ice sword. It’s a Chinese developed product and the root software is locked. Be careful not to become a victim by installing it and later find you are the prey!”

    Unfortunately for you Chinese developed software is probably the best in this business (IceSword, EQSecurity etc). I am frankly amazed how much chinese security apps are appearing on the scene and most are freeware.

  21. Oden says:

    I have been using icesword for sometime now. I love the force delete option because unlike everything else in the world that claims to delete locked files killbox etc, Icesword actually does the job. But I recently formatted my harddrive reinstalled windows and now I try to open Icesword and get bluescreen of death everytime?!?!?! Any ideas?

  22. Techie says:

    I love your site and intend to visit often. Thanks

  23. Phil Q. says:

    Blindly reformatting every time some sort of malware (such as a rootkit) is found is a fool’s errand. With bootable live CD’s such as BartPE and Knoppix, detecting and eliminating such threats is much easier since you can boot to a known clean OS to gain unfettered access to the target system. The malware isn’t running and can be more easily dealt with.

    I haven’t come across any BIOS rootkits but I have to agree, that’s pretty scary indeed.

    - Phil

  24. divya says:

    hi, i have a doubt, i used gmer and it detected a rootkit virus-gaopdx… something, in my computer i am able to delete a service but am unable to delete an infected module, how do i go about this?

    should i use another antirootkit software?

    PLease help, i have no clue how to go about this.

    Many thanks

  25. Malcom says:

    Nice site! Big thanx to webmaster!

  26. Spider says:

    Nice site! Big thanx to webmaster!

  27. Julia says:

    Pretty nice site, wants to see much more on it! :)

  28. Julia says:

    Thank you for your site. I have found here much useful information…

  29. Suzan says:

    Hi, all. Nice site…I really like your site ! Good job man.

  30. Albert says:

    A fantastic site, and brilliant effort. A great piece of work.m

  31. Julia says:

    Found your site in google, and it has a lot of usefull information. Thanx.

  32. Alex says:

    Cool guestbook, interesting information… Keep it UP. excellent site i really like your stuff.

  33. Suzan says:

    Interesting web page is, i\’ll see you later one more time/

  34. Spider says:

    Very cool design! Useful information. Go on!

  35. Albert says:

    Hi, all. Nice site…I really like your site ! Good job man.

  36. Jessicadini says:

    That was nice. Thank you for sharing this one.

  37. ArianaPast says:

    Wow! Thank you! I always wanted to write in my blog something like that. Can I take part of your post to my site? Of course, I will add backlink?

  38. Marly says:

    You have built a good websitev

  39. Albert says:

    Thanks so very much for taking your time to create this very useful and informative site. I have learned a lot from your site. Thanks!!:

  40. PamelaPeaT says:

    your blog very well, it is very useful for me..

  41. Elvis says:

    Great site. I will bookmark for my sons to view as well!!!

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*