New Tests Show Rootkits Still Evade AV

Rootkits are still a security scanner’s worst nightmare: New rootkit detection tests recently conducted by AV-Test.org found that security suites and online Web scanners detected overall only a little more than half of rootkits.

AV-Test.org, an indie security test organization based in Germany, ran two rootkit tests last month, one on Microsoft’s XP Home Edition and another on Microsoft Vista Ultimate Edition, the results of which have been published in a paper now available on the group’s Website.

The XP test used 30 active rootkits and 30 pieces of malware using rootkit technologies. Not surprisingly, anti-rootkit tools did the best, detecting about 80 percent of the rootkits overall, while the security suites found over 66 percent, and online scanners, only 53 percent. Some tools crashed or hung up after completing the rootkit scans, and those were counted as “not detected.”

Security suites did better detecting inactive rootkits than active ones -- most found all (or nearly all) 30. But detecting and cleaning up active rootkits -- which is the task that AV-Test.org considers the “real rootkit test” -- was another story.

Avira AntiVir Premium Security Suite 7.06.00.168 and BitDefender’s Internet Security Suite 2008 11.0.13 led the pack in overall detection of both inactive and active rootkits: Avira’s tool found 28 inactive rootkits and 29 active ones, and all 30 pieces of the malware hidden by rootkits. BitDefender’s tool found all 30 inactive rootkits, 28 of the active ones, and 29 pieces of malware hidden by rootkits.

But Avira had its struggles in removing active rootkits and malware being hidden by rootkits -- it was only able to clean up seven in each case, while BitDefender got successful cleanups in 23 and 27, respectively. Kaspersky Internet Security Suite 7.0.0.119 fared better than most, detecting 24 active and 28 rootkit-hidden samples, and cleaned up 25 of 30 inactive rootkits, 22 active ones, and 25 rootkit-hidden malware samples.