Chandrabhanu Mahapatra
Abstract
Kernel level rootkits pose a serious threat today as they not only mask the presence of themselves but also mask the malware that comes attached with them. Rootkits achieve such stealthy behavior by manipulating the control flow of system calls by hooks and kernel objects, viz., driver and process list directly. Existing Antiviruses that rely on signature based techniques for detection of malwares are effective only against known rootkits. However, as hackers change coding style of rootkits, Antiviruses fail to detect them and rootkits and their malicious activities are hidden from the view of the administrator. Thus, all data on the compromised system becomes vulnerable to theft and all services running on it can be misused by the remote attacker without even the slightest chance of being discovered. Other rootkit detection techniques such as integrity checking, alternate trusted medium, and memory dumping require frequent offline analysis and fail to unload or block the rootkit.
This paper addresses, these challenges and proposes an online cross view difference and behavior based kernel rootkit detector to overcome them. Our proposed solution Kernel Rootkit Trojan Detector (KeRTD) is a host-based and cross view difference-based solution that enables online analysis and aids detection of rootkit immediately. A simple view difference of snapshot of Task manager in user mode and KeRTD Process and Driver List helps the detection of hidden rootkits and other hidden malwares. All rootkits follow a generic pattern of infection such as installing kernel hooks and modification of kernel objects, etc. This very generic behavior of rootkit is exploited in KeRTD to detect and restore the kernel hooks, thus blocking them from further infection. Every file and memory accesses are verified against Access Control List to avoid subversion of KeRTD and operating system kernel. This proposal has been implemented on windows operating system and tested for various methods of attack by kernel rootkits. The results confirm the detection of the kernel rootkits.
- Baligaa, A., Iftodea, L., and Chenb, X. 2008. Automated containment of rootkits attacks. Computers and Security, 27 (7-8), 323--334. DOI= http://dx.doi.org/10.1016/j.cose.2008.06.003.Google Scholar
Digital Library
- Wang, Y. M., Beck, D., Vo, B., Roussev, R., and Verbowski, C. 2005. Detecting Stealth Software with Strider GhostBuster. In Proceedings of the International Conference on Dependable Systems and Networks 05 (Redmond, USA, 2005), Microsoft Research, 368--377. DOI= http://dx.doi.org/10.1109/DSN.2005.39. Google ScholarDigital Library
- Grizzard, J. B., Levine, J. G., and Owen, H. L. 2009. Reestablishing Trust in Compromised Systems: Recovering from Rootkits That Trojan the System Call Table. In Proceedings of the 4th ACM European conference on Computer systems, 369--384.Google Scholar
- Riley, R., Jiang, X., and Xu, D. 2009. Multi-Aspect Profiling of Kernel Rootkit Behavior. In Proceedings of the 4th ACM SIGOPS EuroSys Conference (New York, USA, April 01-03, 2009), 47--60. Google ScholarDigital Library
- Jiang, Y. X., Wang, X., and Xu, D. 2010. Stealthy Malware Detection Through VMM-Based "Out-of-the-Box" Semantic View Reconstruction. Transactions of Information and Security Systems (TISSEC), 13(2), 128--138. DOI=http://dx.doi.org/10.1145/1698750.1698752 Google ScholarDigital Library
- Hamlen, K. W., Mohan, V., Mahsud, M. M., Khan, L., and Thuraisingham, B. 2009. Exploiting an Antivirus Interface. Computer Standards and Interface. Computer Standards and Interfaces, 31(6), 1182--1189. Google ScholarDigital Library
- Oney, W. 2003. Programming The Windows Driver Model, 2nd Edition. Microsoft Press. Google ScholarDigital Library
- RicVieler. 2007. Professional Rootkits, WroxPress. Google ScholarDigital Library
- Russinovich, M. E., Solomon, D. A. Microsoft Windows Internals, Fourth Edition Microsoft Windows Server 2003, Windows XP, and Windows 2000, Microsoft Press, December 08, 2004. Google ScholarDigital Library
- Windows Sysinternals: Documentation, downloads and additional resources. Retrieved August 3, 2010, from Microsoft Corporation: http://technet.microsoft.com/en-us/sysinternals/Google Scholar
- Rootkit -- Wikipedia, the free encyclopedia. Retrieved July 10, 2010, from Wikimedia Foundation: http://en.wikipedia.org/wiki/RootkitGoogle Scholar
- OSR Online -- The Home page for Windows Driver Developers. Retrieved August 1, 2010: http://www.osronline.com/Google Scholar
- Danseglio, M., and Bailey, T. Rootkits: The Obscure Hacker Attack. Retrieved August 5, 2010, from Microsoft Corporation: http://technet.microsoft.com/en-us/library/cc512642.aspxGoogle Scholar
- Kim, G. H., and Spafford, E. H. 1994. The design and implementation of tripwire: a file system integrity checker. In Proceedings of 2nd ACM Conference on Computer and Communications Security, (New York, USA, November, 1994) 18--29. Google ScholarDigital Library
- Tereshkin, A., and Wojtczuk, R. Introducing Ring -3 Rootkits, 2009. Retrieved August 5, 2010, from Invisible Things Lab: http://invisiblethingslab.com/resources/bh09usa/Ring%20-3%20Rootkits.pdfGoogle Scholar
- Ries, C.Inside windows rootkits. Retrieved September 7, 2010: http://www.madchat.fr/vxdevl/library/Inside%20Windows%20Rootkits.pdfGoogle Scholar
- Windows Rootkit Overview. Retrieved September 7, 2010, from Symantec Corporation: http://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdfGoogle Scholar
- GMER -- Rootkit Detector and Remover. Retrieved November 11, 2010: http://www.gmer.net/Google Scholar
- Rootkit.com. Retrieved August 2, 2010: http://www.rootkit.comGoogle Scholar
- Hex-Rays Home Page. Retrieved March 9, 2011, from Hex-Rays SA: http://www.hex-rays.com/idapro/idadownfreeware.htm/Google Scholar
- Mahapatra, C. Kernel Rootkit Trojan Detection. M. Tech. Project reports, Phase I and Phase II, December 2010 and May 2011, Dept. of CSE, National Institute of Technology, Tiruchirappalli, Tamil Nadu, India.Google Scholar
Index Terms
- An online cross view difference and behavior based kernel rootkit detector
Recommendations
Towards a tamper-resistant kernel rootkit detector
SAC '07: Proceedings of the 2007 ACM symposium on Applied computingA variety of tools and architectures have been developed to detect security violations to Operating System kernels. However, they all have fundamental flaw in the design so that they fail to discover kernel-level attack. Few hardware solutions have been ...
Multi-aspect profiling of kernel rootkit behavior
EuroSys '09: Proceedings of the 4th ACM European conference on Computer systemsKernel rootkits, malicious software designed to compromise a running operating system kernel, are difficult to analyze and profile due to their elusive nature, the variety and complexity of their behavior, and the privilege level at which they run. ...
Back to Static Analysis for Kernel-Level Rootkit Detection
Rootkit’s main goal is to hide itself and other modules present in the malware. Their stealthy nature has made their detection further difficult, especially in the case of kernel-level rootkits. There have been many dynamic analysis techniques proposed ...
Comments