Bruce Schneier describes a prototype app to help discover persistent rootkits. This is a really cool idea.

Basically, it's a CD based app that you pop in the drive while the system is up and running. It will examine the current state, stop all user programs, flush caches, and run a checksum of all files, as well as check the registry for keys that could 're-launch' certain infected programs and such. All data is written to a dump file on the harddrive.

It then tells the user to "RESET" the system which then boots from the CD and repeats the process on the files and registry/hive files. Any differences indicate a rootkit or stealth software.

Thats a pretty simple and cool idea.

And the most amazing part...it's a Microsoft prototype! They call it Ghostbuster, but don't have plans to sell or market. Here's hoping they don't hold the copyright, and let others take this great idea and run with it, if they don't want to.

http://www.schneier.com/blog/archive...ostbuster.html