That's the situation with IceSword, a program I wrote about on May 31 and June 7. IceSword is a remarkably effective tool against "rootkits," virus-type programs that can evade detection by ordinary antivirus products. IceSword is available only in a Chinese-language version. Using several search engines, I was able to find dozens of comments about the program in Chinese-language sites, but not a single mention in English.
The one exception was the site of Hacker Defender, a rootkit package that's sold in a basic version for 20 euros (about $25 USD) and "silver" and "gold" versions for up to 450 euros. The package's author, who calls himself "holy_father," has written on his site that currently the only antirootkit tool that can detect Hacker Defender (HxDef) is IceSword. He called it "such a nice tool, [a] real challenge," adding, "One of my priorities this summer [will be] to beat IceSword."
The author of IceSword is a Chinese programmer who goes by "pjf_" in online postings. I was finally able to track down pjf_ and interview him through an intermediary. (After discovering an e-mail address pjf_ once used in a discussion forum, I sent a message requesting his full name, but my communication went unanswered.)
The following interview was conducted for me in Chinese by Ming Jin, a researcher who works with eEye Digital Security, based in southern California. I had the responses translated into English by Zhen Wang, a professional translator in Beijing.
IceSword's Strengths and Weaknesses
Q: How could a rootkit bypass IceSword?
PJF_: For the newly released version 1.10, it's not known that a rootkit can bypass IceSword. In theory, a rootkit could bypass IceSword, but it has got to get into IceSword's kernel. However, this is not easily done in a short period of coding/programming.
While programming IceSword, I thought of a way a rootkit might bypass it and how to deal with this. However, for IceSword's stability, I didn't add such functionality. IceSword will be upgraded as new rootkits are released.
Actually, it is more reasonable that a rootkit could break IceSword, not just bypass it. Yet, attempting to do so could make a rootkit visible to IceSword. An easier way would be to analyze IceSword completely, and cut down its linking between the kernel and the user interface. This could be done in a new version [of a rootkit].
Detecting Hacker Defender
Q: How does IceSword detect Hacker Defender? (By enumerating services, and finding hidden ones, I would guess.)
PJF_: Hacker Defender is a strong rootkit, and the Gold and Silver Hacker Defender packages are more potent. Many antirootkit programs, such as Rootkit Revealer and BlackLight, can't detect Hacker Defender. (Such statements can be found on the Web site of the author of Hacker Defender.) I haven't got the Gold and Silver packages. But on the author's home page, it is stated that Hacker Defender cannot evade IceSword. And IceSword is continually improving.
Regarding the public version of HxDef, IceSword can detect all the hidden stuff, such as files, register maps, processes, services, and so on. My techniques can detect such a rootkit and quarantine and clean it. In addition, a tool called Ishelp in IceSword version 1.10 is also very helpful in detecting rootkits.
Comparing IceSword with Other Antirootkit Programs
Q: Is IceSword better than Rootkit Revealer or BlackLight?
PJF_: I think that the user is in a position to make such a judgment. In my opinion and after many tests, IceSword looked more stable in many cases. However, each software program has its own unique features and strengths. Some rootkit writers have their own comments and they are in a better position in making judgments.
Other Features of IceSword
Q: Does IceSword do anything else?
PJF_: IceSword also does a pretty good job of breaking the protection of a potent rootkit over processes, files, and register maps. For example, if a rootkit uses a filter driver to disable writing and deleting files, IceSword can detect this and clean it up.
I've developed a new version, which has such features as a firewall, file protection, and driver monitoring. Not all of this is written using publicly documented Microsoft code. This version cannot be released before it has been thoroughly tested on multiple platforms.
F-Secure Responds Regarding BlackLight
I asked F-Secure, the publisher of BlackLight, and SysInternals.com, the publisher of Rootkit Revealer, for their reaction to pjf_'s assertion that IceSword can detect rootkits that their products cannot.
"We have heard of the IceSword tool and have no doubt that it is a capable rootkit detector," says Mikael Albrecht, product manager for F-Secure, which is headquartered in Helsinki, Finland. "The question about what antirootkit tool is the best is hard to answer. We agree with pjf_'s point that rootkit detectors are different and are focused on different use cases and users. It is, in addition to that, worth noting that the Windows rootkit scene is new and rapidly developing.
"Rootkit detection is a cat-and-mouse game. Sometimes the rootkit authors are ahead, sometimes the antirootkit authors. We can at the moment detect all rootkit samples that we have access to, but that may change as soon as a new, more advanced rootkit is published. We will naturally respond with improved detection when that happens. There are still no signs that this race will slow down. This makes it even harder to name the best antirootkit tool. ...
"Rootkit technology is not a big problem at the moment. The number of affected systems is a small fraction compared to the number of virus infections. We must, however, be prepared to handle virus outbreaks that install rootkit technology in a large number of systems. It is important that the security industry has got technology that is mature enough when it happens. Every cycle with improved rootkits and antirootkit tools gives us better ability to handle situations like that."
SysInternals.com did not respond to my request for comment.
IceSword has a Windows Explorer-like interface but displays hidden processes and resources that Windows Explorer would never show. It isn't a "click-here-to-delete-rootkits" product but a sophisticated discovery tool that can protect against sinister rootkits if used before they infect a machine.
IceSword's documentation is entirely in Chinese, but that wouldn't necessarily stop dedicated IT administrators from downloading the software and trying it on a test Windows PC. I encourage security professionals to look into this further and let me know what you learn.
IceSword is downloadable from Xfocus.net, a Chinese security site, in compressed RAR format at Xfocus.net/tools/200505/1032.html.
Update as of 2005-11-15: An English-language version of the program is now available for download from the following Web page: