Thursday, November 17, 2011

Release of Hypersight Rootkit Detector

Greetings to all, we have great news. Hypersight Rootkit Detector is released. It is the first publicly available virtualization-based detector of kernel-mode rootkits for Windows NT.

The huge work is completed, and the product is ready for shipping. We would like to thank all people who helped us with advices, criticism and testing.

The purpose of Hypersight RD is monitoring the Windows kernel against the following malicious events:
  • Hypervisor-Like Activity. Attempts to start hypervisor (enter virtualization root mode) by kernel-mode code. This activity is blocked. Hypervisors cannot be started when monitoring is active.
  • Suspicious CPU Activity. Rootkits often change control registers. Mostly this is clearing the "write-protect" bit of CR0 register for subsequent modifying of write-protected code.
  • In-Memory Code Modifications. This is modifying of non-paged code of drivers, Windows kernel and HAL. SSDT modifications fall in this category as well (SSDT is located in the code section of the NT kernel). Both direct modifications (with CR0.WP clearing) and modifications with remapping (MmMapLockedPages) are intercepted.
  • Stealth Code. This is the favorite trick of rootkit writers: to execute code outside of drivers and kernel. Traditional rootkit detectors are unable to find such code in the general case.

These kinds of activity are typical for rootkits. Their interception reduces the scope for rootkit creators. It is still possible to write undetectable rootkit but with Hypersight this becomes a challenging task.

The activity is reported inside of the main window of Hypersight. A detailed description is provided for each intercepted event: CPU state, code, stack and list of kernel modules. Usually this information is enough to identify the threat.

Hypersight currently has the following requirements:
  • OS: Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 (x86 only for all systems)
  • Memory: 1GB minimum, 2GB recommended
  • Processors: Intel Core i3, i5, i7

Hypersight is a shareware. Evaluation period is 15 days. Each registered customer gets two years of support, which includes:
  • Consulting on events intercepted by program
  • Free updates of the application

The program is intended for technically advanced people who want to know what exactly happens in their computers. This knowledge helps to prevent negative consequences of targeted attacks and malware infections.