http://www.omninerd.com/2005/11/22/articles/43 * chkrootkit43 - The chkrootkit auditing scripts have been in development since 1997 and are capable of detecting rootkit signatures in binaries, log anomalies, errant network behavior and loadable kernel modules. * KLister44 - KLister is a collection of several tools designed to interface with the deepest internal kernel structures in order to expose rootkit code. * Malicious Software Removal Tool45 - This self updating tool operates in conjunction with the operating system at all levels for detecting anomalous behavior and rootkit signature hits. As a product of Microsoft, the Malicious Software Removal Tool has the advantage of utilizing unpublished, internal, hidden APIs that may not have been publicly disclosed to other tool creators. * PatchFinder246 - PatchFinder2 utilizes a technique called Execution Path Analysis to detect kernel and DLL rootkits. EPA puts the processor into a single-stepping debugger mode to count processor operations per function. This generates empirical evidence to compare against a known 'clean' value.47 * Rootkit Hunter48 - Booting from a Gentoo Linux CDROM, Rootkit Hunter objectively analyzes a host system in an inert state against downloadable signatures to detect rootkits while they are dormant. * RootkitRevealer49 - RootkitRevealer compares the outputs of multiple APIs (such as Win32 and NativeNT) in the Windows operating system to detect discrepancies. * Tripwire50 - As rootkits alter the nature of original files, Tripwire is able to detect malware through the principle of Change Auditing where comparisons are made between different aspects of a known system state and the present running system. * VICE51 - VICE browses call tables to detect anomalous hooks that redirect function calls to a rootkit.