Bruce Schneier blogged recently on a research tool called Ghostbuster from Microsoft that detects persistent, stealthy rootkits and other hidden malware by comparing separate scans of the same operating system – one from the potentially infected O.S. and one from another trusted O.S.
Michael Howard from Microsoft blogs today about Rootkit Revealer from sysinternals. (The SysInternals folks provide the most depth I’ve seen of the Windows architecture and have some great freeware tools for understanding system interactions.) Rootkit revealer performs two scans: one is a "high-level" Windows API scan that would normally show bogus results if it were rootkit-ed. The second is a "low-level" scan of file system and registry hives on disk.
Me? I think I’ll take the blue pill. Or is it the red one?