Currently there are numerous rootkits available for almost any operating system. Researchers have recently seen some rootkits that almost have a commercial feel to them, designed on a custom basis for a fee to evade many antivirus vendors for a small fee.
When dealing with rootkits and malicious code, many security professionals focus on tools and technology. While this is important, it is not as important as developing a security team's ability to deal with rootkits.
When I work on a certification and accreditation project, I like to set up a scenario where I install a rootkit on a system and ask the security team to identify and remove it. Rather then relying on documented procedures or proof that they are updating their antivirus on a regular basis, I like to see how the team responds when they have a live situation to resolve.
As for technology, I like working with RootkitRevealer, F-Secure Corp.'s BackLight tool and the freely available IceSword. It is always a good idea to get a second (or possibly even a third) opinion when dealing with rootkits because they are constantly evolving to bypass rootkit-detection techniques and technologies.
This was first published in October 2008