USOO7921461B1
(12) United States Patent (10) Patent No.: US 7,921.461 B1 Golchikov et al. (45) Date of Patent: Apr. 5, 2011
(54) SYSTEMAND METHOD FOR ROOTKIT S.8. 53 A. : SS Eyrdseter . . . . . et. . . . al...... 7 1. DETECTION AND CURE 2004/O181561 A1 9, 2004 Knox et al. 2005, 0021994 A1 1/2005 Barton et al. (75) Inventors: Andrey V. Golchikov, Moscow (RU); 2005/0278788 A1 12/2005. Jindal et al. Andrey V. Sobko, Moscow (RU) 2006/0031673 A1 2/2006 Becket al...... T13, 164 2006.0053270 A1* 3, 2006 Dunn et al. . 712/13
(73) Assignee: Kaspersky Lab, ZAO, Moscow (RU) 2.99. A. : 29: RSU ca.tal. ... 2. (*) Notice: Subject to any disclaimer, the term of this 2008.0034429 A1 ck 2/2008 Schneider ...... T26/23 patent is extended or adjusted under 35 OTHER PUBLICATIONS U.S.C. 154(b) by 1115 days. Simon Baker et al. "Checking Microsoft Windows(R) Systems for (21) Appl. No.: 11/623,364 Signs of Compromise', Oct. 28, 2005, version 1.3.4, pp. 1-18.* y x- - - 9 * cited by examiner (22) Filed: Jan. 16, 2007 Primary Examiner — Farid Homayoumehr (51) Int. Cl. Assistant Examiner — Michael Guirguis ge. 5.b4. 3:08: (74) Attorney, Agent, or Firm — Bardmesser Law Group GSB 23/00 (2006.01) (57) ABSTRACT (52) U.S. Cl...... 726/23: 726/24; 726/25; 713/2 ASVstem. method and computer program product for SVStem (58) Field of Classification Search ...... 726/26, ystem, computer program pr ySt. 726/23 25: 713/2 for detecting a rootkit on a computer having an operating S lication file f let h his s system, including a native application in ring 0 which, when ee appl1cauon Ille Ior complete searcn n1Story. the operating system is in a trusted State upon a reboot of the (56) References Cited computer, after loading of the boot drivers but before loading of non-boot drivers, generates a first Snapshot for selected U.S. PATENT DOCUMENTS files of the operating system and for a registry; the first Snap 5,613.002 A 3, 1997 Keph 1 shot being stored on a persistent storage medium of the com 5.878,050 A 3, 1999 E. I. puter; a second snapshot for the selected files and for the 5.995,982. A 1/1999 Mercer registry generated by the ordinary application after the load 6,021,491 A 2/2000 Renaud ing of the non-boot drivers, generating; means for comparing 3. g R ck 3. Hanah ...... T13, 189 the second Snapshot with the first Snapshot; and upon detect C 7,631.3576,990,600 B2B1 * 12/20091/2006 RyanStringham et al...... T26/24 registrying, in branch,s E. means forE. 1nforming ofa masked a user of t possibleR rootkit 2001/0037323 A1* 11/2001 Moulton et al...... 707/1 presence on the computer. 2002fOO 10459 A1 1/2002 Whittier et al. 2002/0174349 A1 11, 2002 Wolff et al. 23 Claims, 3 Drawing Sheets
Gre)- 2
Loadboot drivers 104
Call native application, generate 108 snapshot 1 122
Cure system of end of load process, possible start the rootkit 108 of rootkit 120-N- Generate (receive?) snapshot 1 110 Generate snapshot 2
118/N Loadboot driver
112 are snapshots 1 and 2 the same? 3->
118
114 Inform user"no rootkit present"
102 U.S. Patent Apr. 5, 2011 Sheet 1 of 3 US 7,921.461 B1
LOadbOOt driverS 104
Call native application, generate 122 106 snapshot 1
Cure system of 108 End of load process, possible start the rootkit of rootkit 1201Nu- Generate (receive?) 110 Generate snapshot 2 L- Snapshot 1'
118
112 Are Snapshots 1 and 2 the Same? 9
CD ch 116
Inform user "no rootkit present"
GeoD 102 FIG. 1 U.S. Patent Apr. 5, 2011 Sheet 2 of 3 US 7,921.461 B1
ZZZ SuunS|Ou?uOO 092 ?SnOW
ZOZ U.S. Patent Apr. 5, 2011 Sheet 3 of 3 US 7,921.461 B1
?ueduuOO
US 7,921,461 B1 1. 2 SYSTEMAND METHOD FOR ROOTKT function call, and provides its own return parameters to the DETECTION AND CURE antivirus Software, but masks its own process. Also, the root kit typically hides the files in which it is stored from conven BACKGROUND OF THE INVENTION tional antivirus mechanisms that check whether files contain known virus signatures. In other words, the files where the 1. Field of the Invention rootkit is stored are never actually checked by the antivirus The present invention relates to computer systems and, software, which makes rootkits particularly difficult to detect more specifically, to a system, method and computer program and cure. product for rootkit detection. In the context of the Microsoft Windows operating system, 2. Background Art 10 a rootkit operates by intercepting the system function calls (so A rootkit is a set of software tools frequently used by a third called Windows APIs). Interception and modification of the party (usually an intruder) after gaining access to a computer lower level API functions is the mechanism that rootkits use system intended to conceal running processes, files or system to mask their presence in the system. Furthermore, rootkits data, which helps an intruder maintain access to a system can often mask the presence, in the system, of any descrip without the user's knowledge. Rootkits are known to exist for 15 tions of the rootkit in the process configuration settings, files a variety of operating systems such as Linux, Solaris and and folders, register keys, etc. Many rootkits install their own versions of Microsoft Windows. A computer with a rootkit on drivers and services into the system. The added drivers and it is referred to as a “rootkited' computer. services are also, obviously, masked. U.S. Pat. No. 7,032,114 The term “rootkit' (also written as “root kit') originally describes a method of detecting a rootkit, where an initial referred to a set of recompiled Unix tools such as “ps.” “net sample is formed, after which the current sample of operating stat.” “w” and “passwd that would carefully hide any trace of system is compared with the initial sample, in order to iden the intruder that those commands would normally display, tify the presence of a rootkit. thus allowing the intruders to maintain “root’ on the system U.S. Publication Application No. 2006/0168352 describes without the system administrator even seeing them. Now the a conventional method of disinfecting a network node, where term is not generally restricted to Unix-based operating sys 25 an initial Snapshot is formed, and a Subsequent Snapshot, tems, as tools that perform a similar set of tasks now exist for formed during the reboot process, is compared to the original non-Unix operating systems such as Microsoft Windows Snapshot. (even though Such operating systems may not have a “root U.S. Pat. No. 6,792,556 describes a conventional method account). of identifying a virus and computer recovery after being A rootkittypically hides logins, processes, threads, registry 30 infected by a virus during the boot process, where a Snapshot keys, files, and logs and may include Software to intercept of the system state is saved to a file, and then, during the boot data from terminals, network connections, and the keyboard. process, a current boot entry is generated, and a comparison Rootkits come in three different “flavors’: kernel, library of the current boot entry with the snapshot is performed. and application level kits. Kernel level Rootkits add addi Based on the comparison, in the case of virus presence, the tional code and/or replace a portion of kernel code with modi 35 system is restored from the original Snapshot. Furthermore, fied code to help hide a backdoor on a computer system. This the Snapshot can take a control sum into account. is often accomplished by adding a new code to the kernel via However, most conventional methods cannot be used to a device driver or loadable module, such as Loadable Kernel detect the presence of a rootkit, due to its very nature. Fur Modules in Linux or device drivers in Microsoft Windows. thermore, most of the conventional methods do not guarantee Library rootkits commonly patch, hook, or replace system 40 the detection of most rootkits that mask their existence, even calls with versions that hide information about the attacker. where signature comparisons are used. Application level rootkits may replace regular application Accordingly, there is a need in the art for a system and binaries with trojanized fakes, or they may modify the behav method for a more effective detection and cure of rootkit ior of existing applications using hooks, patches, injected infected computers. code, or other means. Kernel rootkits can be especially dan 45 gerous because they can be difficult to detect without appro SUMMARY OF THE INVENTION priate Software. Rootkits are usually written to the disk storage for activa The present invention relates to a detecting and curing tion after operating system restart and are hiddden from the rootkit, that substantially obviates one or more of the disad operating system during requests to the file system. "Root 50 Vantages of the conventional art. kits' are difficult to detect because they are activated before In an exemplary embodiment of the present invention, the operating system has completely booted up and often there is provided a system, method and computer program allows the installation of hidden files, processes and hidden product for system for detecting a rootkit on a computer user accounts in the systems OS. Rootkits are usually embed having an operating system, the system including a native ded in operating system processes in a filter-like manner, so 55 application in ring 0 which, when the operating system is in a that any regular detection means of the operating system trusted State upon a reboot of the computer, after loading of cannot get information related to hidden software or software the boot drivers but before loading of non-boot drivers, gen pieces. erates a first Snapshot for selected files of the operating system One of the difficulties with detecting rootkits is due to the and for a registry; the first Snapshot being stored on a persis fact that, unlike viruses, rootkits typically activate themselves 60 tent storage medium of the computer; a second Snapshot for when the operating system is loaded upon start up of the the selected files and for the registry generated by the user computer, and rootkits usually acquire system privileges. application at any time after the loading of the non-boot Also, rootkits typically take steps to mask their existence, and drivers; means for comparing the second Snapshot with the prevent conventional antivirus detection mechanisms from first Snapshot; and upon detecting, in the comparing step, one identifying their existence. For example, a typical antivirus 65 of a masked file and a masked registry branch, means for program invokes a system function call to identify the pro informing a user of possible rootkit presence on the computer. cesses that are currently running. The rootkit intercepts the The selected files include system services. The system ser US 7,921,461 B1 3 4 vices are identified by a SERVICE SYSTEM START flag. drivers are loaded (step 104). (Boot drivers are hardware The operating system is, in one embodiment, a WINDOWS drivers that are required for the absolute minimum hardware operating system, and a 64 bit operating system or a 32 bit functionality—e.g., VGA monitor driver, keyboard driver, operating system. The boot drivers are identified by a SER mouse driver, HDD driver.) In step 106, a native application is VICE BOOT START flag. The snapshots are generated invoked, and creates a first Snapshot. “A native application' is using a an application assembled in a particular manner, and HKLM\SYSTEM\CurrentControlSet\Control\Session designed to work on the Zero ring of the Intel processor after Manager\Bootxecute key. the system start, just before the drivers and system services Additional features and advantages of the invention will be are launched. (MS Windows services are analogous to UNIX set forth in the description that follows, and in part will be 10 daemons.) apparent from the description, or may be learned by practice In step 108, the operating system loading process ends, and of the invention. The advantages of the invention will be at this point, the rootkit can initialize itself. realized and attained by the structure particularly pointed out In step 110, a current snapshot 2 is formed. In step 112, in the written description and claims hereof as well as the Snapshots 1 and 2 are compared. If the comparison shows that appended drawings. 15 they are identical, then, in step 114, it is possible to conclude It is to be understood that both the foregoing general that there is no rootkit, and the user may be so informed (if description and the following detailed description are exem requested). Otherwise, if Snapshots 1 and 2 are not the same, plary and explanatory and are intended to provide further then, in step 116, a reboot is initiated. In step 118, a boot explanation of the invention as claimed. driver is loaded. In step 120, Snapshot 1' is generated. In step 122, the rootkit is “cured. The process then proceeds to step BRIEF DESCRIPTION OF THE 108, as described above. DRAWINGS/FIGURES As further shown in FIG. 1, at the moment the drivers with a service load flag (SERVICE BOOT START), and before The accompanying drawings, which are included to pro the setting of the flag for launching the system services (SER vide a further understanding of the invention and are incor 25 VICE SYSTEM START), the native application generates porated in and constitute a part of this specification, illustrate the first Snapshot of the operating system. Thus, the Snapshot embodiments of the invention and together with the descrip is generated even before the launch of the Win32 subsystem. tion serve to explain the principles of the invention. Also, it should be noted that the first snapshot is generated In the drawings: through the register key FIG. 1 illustrates, inflowchart form, an exemplary embodi 30 HKLM\SYSTEM\CurrentControlSet\Control\Session ment of the invention. Manager\PendingFileRenameCperations, with the help of FIGS. 2A and 2B illustrate the generation and use of snap the native application. shots in block diagram form. This Snapshot includes at least the register branches, which are critical for the launching of the drivers, register branches DETAILED DESCRIPTION OF THE INVENTION 35 which are responsible for file removal and file renaming (for example, HKLM\System\CurrentControlSet\Services), Reference will now be made in detail to the embodiments driver file control sums, etc. One of ordinary skill in the art of the present invention, examples of which are illustrated in will readily appreciate that the Snapshot can include addi the accompanying drawings. tional information as well, or only a subset of the above As noted earlier, virtually all modern computers utilize 40 information. operating systems to manage various functions of the com After the first Snapshot of the operating system is gener puter. Currently, by far the most popular operating system has ated, the Snapshot is then preferably saved to Some persistent been the Microsoft Windows operating system, which exists storage medium, Such as a hard disk drive, a flash driver, tape, in many versions, such as Windows NT 4.0, Windows 2000, DVD-ROM, etc. Once the operating system is loaded, the Windows 2003, Windows XP (including 64bit version), Win 45 Snapshot of the current state of the operating system can then dows Vista (including 64 bit version), Windows CE, Xbox be generated. OS, etc. The present invention is intended for use in at least all The second Snapshot is formed in the same manner as the of the current and future anticipated versions of MS Win first Snapshot, and contains the same data as the first Snap dows, although on of ordinary skill in the art will readily shot—or should, in theory, if the rootkit has not infected the appreciate how the ideas described hereincan be applicable to 50 operating system. other operating systems as well. Once the current Snapshot is generated, it can be compared The Windows operating system is vulnerable to rootkit with the original Snapshot. If the comparison is exact, then infection, as described earlier. In order to address the problem there is no rootkit infection, and the operating system can of detection of the rootkit, the following approach is pro proceed accordingly. If the two Snapshots show any differ posed. 55 ence, this indicates a possibility of rootkit infection. In that Snapshot creation generally involves sector by sector case, the rootkit can be cured, for example, by restoring the copying of the whole file system, i.e., service information and operating system from a trusted copy or image. data. If the file system is currently active, then files may be As an option, a log of which files have been loaded, altered modified during copying; some files can be open for writing and/or removed, and which registry values have changed, can orlocked, for example. In the simplest case, file system opera 60 be kept in the interval between the first and second snapshots. tions can be suspended for Some period of time and during For example, the log can be implemented as follows: that time a Snapshot is recorded. Of course, such an approach time Explorer.EXE create section for execute cannot be applied to servers where uninterrupted activity of
US 7,921,461 B1 13 14 HKCU\Software\Classes\VirtualStore\MACHINE\Soft HKCU\Software\Classes\VirtualStore\MACHINE\Soft ware\Classes\Wow6432Node\batfile\Shell\runas\ ware\Wow6432Node\Microsoft\Internet Explorer\Main command IE Extensions: HKCU\Software\Classes\VirtualStore\MACHINE\Soft HKCU\Software\Microsoft\Internet Explorer\Extensions ware\Classes\Wow6432Node\comfile\Shell\open\ HKLM\Software\Microsoft\Internet Explorer\Extensions command HKLM\Software\Wow6432Node\Microsoft\Internet HKCU\Software\Classes\VirtualStore\MACHINE\Soft Explorer\Extensions ware\Classes\Wow6432Node\exefile\shell\open.\ HKCU\Software\Classes\VirtualStore\MACHINE\Soft command ware\Microsoft\Internet Explorer\Extensions HKCU\Software\Classes\VirtualStore\MACHINE\Soft HKCU\Software\Classes\VirtualStore\MACHINE\Soft 10 ware\Wow6432Node\Microsoft\Internet ware\Classes\Wow6432Node\ftp\shell\open\command Explorer\Extensions HKCU\Software\Classes\VirtualStore\MACHINE\Soft IE Plugin: ware\Classes\Wow6432Node\htafile\Shell\open\com HKLMASOFTWARE\Microsoft\Internet mand Explorer\Plugins\Extension HKCU\Software\Classes\VirtualStore\MACHINE\Soft 15 HKLMASOFTWARE\Wow6432Node\Microsoft\Internet ware\Classes\Wow6432Node\htmlfile\Shell\open\com Explorer\Plugins\Extension mand HKCU\Software\Classes\VirtualStore\MACHINE\SOFT HKCU\Software\Classes\VirtualStore\MACHINE\Soft WARE\Microsoft\Internet Explorer\Plugins\Extension ware\Classes\Wow6432Node\http\shell\open\command HKCU\Software\Classes\VirtualStore\MACHINE\SOFT HKCU\Software\Classes\VirtualStore\MACHINE\Soft WARE\Wow6432Node\Microsoft\Internet ware\Classes\Wow6432Node\https\shell\open\command Explorer\Plugins\Extension HKCU\Software\Classes\VirtualStore\MACHINE\Soft IE Menu Extension: ware\Classes\Wow6432Node\mailto\Shell\open\command HKCU\Software\Microsoft\Internet Explorer\Menuext HKCU\Software\Classes\VirtualStore\MACHINE\Soft IE Toolbar: ware\Classes\Wow6432Node\mp3 file\Shell\open\com 25 HKCU\Software\Microsoft\Internet Explorer Toolbar mand HKLM\Software\Microsoft\Internet Explorer\Toolbar HKCU\Software\Classes\VirtualStore\MACHINE\Soft HKLM\Software\Wow6432Node\Microsoft\Internet ware\Classes\Wow6432Node\mpegfile\Shell\open\com Explorer Toolbar HKCU\Software\Classes\VirtualStore\MACHINE\Soft mand ware\Microsoft\Internet Explorer\Toolbar HKCU\Software\Classes\VirtualStore\MACHINE\Soft 30 HKCU\Software\Classes\VirtualStore\MACHINE\Soft ware\Classes\Wow6432Node\piffile\Shell\open\command ware\Wow6432Node\Microsoft\Internet HKCUVSoftware\Classes\VirtualStore\MACHINE\Soft Explorer Toolbar ware\Classes\Wow6432Node\txtfile\Shell\open\command IE Shell Browser: HKCU\Software\Classes\VirtualStore\MACHINE\Soft HKCU\Software\Microsoft\Internet ware\Classes\Wow6432Node\cmdfile\Shell\open\com 35 Explorer Toolbar\ShellBrowser mand IE Url Search Hooks: HKCU\Software\Classes\VirtualStore\MACHINE\Soft HKCU\Software\Microsoft\Internet ware\Classes\Wow6432Node\regfile\shell\open\com Explorer UrlSearchHooks mand HKLM\Software\Microsoft\Internet HKCU\Software\Classes\VirtualStore\MACHINE\Soft 40 Explorer UrlSearchHooks ware\Classes\Wow6432Node\scrfile\Shell\open\com HKLM\Software\Wow6432Node\Microsoft\Internet mand Explorer UrlSearchHooks HKCU\Software\Classes\VirtualStore\MACHINE\Soft HKCU\Software\Classes\VirtualStore\MACHINE\Soft ware\Classes\Wow6432Node\vbsfile\shell\open\com ware\Microsoft\Internet Explorer\UrlSearchHooks mand 45 HKCU\Software\Classes\VirtualStore\MACHINE\Soft User Shell Folders: ware\Wow6432Node\Microsoft\Internet HKCU\Software\Microsoft\Windows\CurrentVersion\ Explorer UrlSearchHooks Explorer\User Shell Folders IE Web Browser: HKLM\Software\Microsoft\Windows\CurrentVersion\ HKCU\Software\Microsoft\Internet Explorer\User Shell Folders 50 Explorer Toolbar\WebBrowser HKLM\Software\Wow6432Node\Microsoft\Windows\Cur Safe Boot: rentVersion\Explorer\User Shell Folders HKLM\System\CurrentControlSet\Control\SafeBoot\ HKCU\Software\Classes\VirtualStore\MACHINE\Soft Minimal ware\Microsoft\Windows\CurrentVersion\Explorer\User HKLM\System\CurrentControlSet\Control\SafeBoot\ Shell Folders 55 Network HKCU\Software\Classes\VirtualStore\MACHINE\Soft Autorun: ware\Wow6432Node\Microsoft\Windows\CurrentVer HKCU\Software\Microsoft\Command Processor sion\Explorer\User Shell Folders HKLM\Software\Microsoft\Command Processor HKLMVSOFTWARE\WOW6432NOde\MICROSOFTW HKCU\Software\Classes\VirtualStore\MACHINE\Soft Windows\CurrentVersion\Explorer\User Shell Folders 60 ware\Microsoft\Command Processor IE Main: HKLM\Software\Wow6432Node\Microsoft\Command Pro HKCU\SOFTWARE\Microsoft\Internet Explorer\Main CSSO HKLM\SOFTWARE\Microsoft\Internet Explorer\Main HKCU\Software\Classes\VirtualStore\MACHINE\Soft HKLM\Software\Wow6432Node\Microsoft\Internet ware\Wow6432Node\Microsoft\Command Processor Explorer.Main 65 Control Sums are Calculated for the Following Files: HKCU\Software\Classes\VirtualStore\MACHINE\SOFT %SystemRoot%\System32\drivers\*.sys WARE\Microsoft\Internet Explorer\Main %.SYSTEMROOT9%\System32\Tasks (Task Scheduler) US 7,921,461 B1 15 16 %Program Data%\Microsoft\Windows\Start 8. The method of claim 1, wherein the WINDOWS oper Menu\Programs\Startup ating system is a 64-bit operating system. %USERPROFILE%\AppData\Roaming\Microsoft\Win 9. The method of claim 1, wherein the WINDOWS oper dows\Start Menu\Programs\Startup (Startup Folder) ating system is a 32 bit operating system. c:\autoexec.bat 10. The method of claim 1, wherein the boot drivers are %SystemDrive%\autoexec.bat identified by a SERVICE BOOT START flag. c:\config.sys 11. The method of claim 1, wherein the snapshots are generated using a native application launched by utilizing a %SystemDrive%\config.sys 10 HKLM\SYSTEM\CurrentControlSet\Control\Session Winstart.bat Manager\Bootxecute key. win.ini 12. The method of claim 1, wherein the snapshots are system.ini generated by a native application on ring 0. *:\autorun.inf 15 13. The method of claim 1, further comprising, upon also, control sums can be generated for all drivers, .dll and detecting the rootkit, rebooting the operating system from a .exe files (or, even more broadly, all the files listed in the trusted image. above-identifed register branches and their alternate data 14. A system for detecting a rootkit on a computer having storage) an operating system, the system comprising: Having thus described a preferred embodiment, it should a native application located on a non-transitory computer be apparent to those skilled in the art that certain advantages useable medium which, when the operating system is in of the described method and apparatus have been achieved. It a trusted State upon a reboot of the computer, after load should also be appreciated that various modifications, adap ing of the boot drivers but before loading of non-boot tations, and alternative embodiments thereof may be made 25 drivers, generates a first Snapshot for files of the operat within the scope and spirit of the present invention. The ing system and for a registry; invention is further defined by the following claims. the first Snapshot being stored on a persistent storage medium of the computer; What is claimed is: 30 1. A method for detecting a rootkit on a computer, the a second Snapshot for the selected files and for the registry method comprising: generated by the native application after the loading of starting an operating system on the computer; the non-boot drivers; means for comparing the second Snapshot with the first when the operating system is in a trusted State upon a 35 Snapshot; and reboot of the computer, after loading of the boot drivers but before loading of non-boot drivers, generating a first upon detecting, in the comparing step, one of a masked file Snapshot for files of the operating system and for a and a masked registry branch, means for informing a registry; user of possible rootkit presence on the computer, storing the first Snapshot; 40 wherein the first and the second Snapshots are generated by after the loading of the non-boot drivers, generating a sec sector-by-sector copying of an entire file system and ond snapshot for the files and for the registry; registry. comparing the second Snapshot with the first Snapshot; and 15. The system of claim 14, wherein the native application upon detecting, in the comparing step, one of a masked file 45 is running in ring 0. and a masked registry branch, informing a user of pos 16. The system of claim 14, wherein the files include sys sible rootkit presence on the computer, tem services. wherein the first and the second Snapshots are generated by 17. The method of claim 16, wherein the system services sector-by-sector copying of an entire file system and are identified by a SERVICE SYSTEM START flag. registry. 50 18. The system of claim 14, wherein the operating system 2. The method of claim 1, wherein the Snapshots are gen is a WINDOWS operating system. erated by a native application running in ring 0. 19. The system of claim 14, wherein the WINDOWS oper 3. The method of claim 1, wherein the files include system ating system is a 64-bit operating system. services. 55 20. The system of claim 14, wherein the WINDOWS oper 4. The method of claim 3, wherein the system services are ating system is a 32 bit operating system. identified by a SERVICE SYSTEM START flag. 21. The system of claim 14, wherein the boot drivers are 5. The method of claim 1, wherein the snapshot is gener identified by a SERVICE BOOT START flag. ated based on control sums for the files. 60 22. The system of claim 14, wherein the snapshots are 6. The method of claim 1, further comprising maintaining, generated using a native application launched by utilizing a between the steps of generating the first Snapshot and gener HKLM\SYSTEM\CurrentControlSet\Control\Session ating the second Snapshot, a log of which files have been Manager\Bootxecute key. loaded and which registry values have changed, and wherein 23. A non-transitory computer readable medium having the comparing step is also performed based on the log. 65 computer program logic stored thereon for executing on a one 7. The method of claim 1, wherein the operating system is processor for detecting a rootkit, the computer program logic a WINDOWS operating system. comprising: US 7,921,461 B1 17 18 computer program code starting an operating system on the computer program code comparing the second Snapshot computer; with the first snapshot; and when the operating system is in a trusted State upon a upon detecting, in the comparing step, one of a masked file reboot of the computer, after loading of the boot drivers and a masked registry branch, computer program code but before loading of non-boot drivers, computer pro informing a user of possible rootkit presence on the gram code generating a first Snapshot for files of the computer; operating system and for a registry; wherein the first and the second Snapshots are generated by computer program code storing the first Snapshot; copying of an entire file system and registry sector-by after the loading of the non-boot drivers, computer pro SectOr. gram code generating a second Snapshot for the files and 10 for the registry;