Microsoft's "GhostBuster" Can Detect Root Kits and Trojans

Microsoft has come up with a unique and seemingly effective concept for detecting root kits, trojans and other malware that may be hiding stealthily on a computer system. According to Bruce Schneier, CTO of Counterpane and co-author of Practical Cryptography, "The user has the GhostBuster program on a CD. He sticks the CD in the drive, and from within the (possibly corrupted) OS, the checker program runs: stopping all other user programs, flushing the caches, and then doing a complete checksum of all files on the disk and a scan of any registry keys that could autostart the system, writing out the results to a file on the hard drive.

Then the user is instructed to press the reset button, the CD boots its own OS, and the scan is repeated. Any differences indicate a rootkit or other stealth software, without the need for knowing what particular rootkits are or the proper checksums for the programs installed on disk.

Simple. Clever. Elegant."

Schneier points out that this prototype is not available for public consumption and there is no promise that it ever will be. But, it would certainly be a huge contribution for the world of information security if Microsoft would work to make it available or if another company could issue a similar tool. For more details about the Microsoft GhostBuster software and Schneier's opinion of it, see Schneier's blog site at Schneier On Security.