Dynamic Detection of Process Hiding Kernel Rootkits

Dynamic Detection of Process Hiding Kernel Rootkits

Stealth rootkits that hide themselves on victim systems pose a major threat to computer systems. They are usually evasive as they use sophisticated stealth techniques to conceal files, processes, kernel modules, and other types of objects, making it extremely challenging to detect their presence in the victim system. However, current detection techniques are mostly system-specific and ineffective for unknown rootkits. In this paper, we present the design, implementation and evaluation of XView, a dynamic cross-view based approach to detect rootkits by identifying hidden processes. To this end, we continuously maintain a list of active processes outside the monitored system, and compare it with the list reported by the guest system. XView overcomes the semantic gap by intercepting and interpreting system call events of the guest operating system in a non-intrusive manner. It dynamically monitors the guest system and reconstructs semantic-level process information. Since it is not directed against any specific hiding techniques, it is able to detect unknown rootkits. We have developed an XView prototype and conducted experiments using eleven rootkit samples. Our evaluation results show that XView is able to identify processhiding behaviors of all samples with modest performance overhead. Rootkits have become a great security threat to computer systems. Although rootkits originated in Unix, Windows rootkits are gaining popularity recently [38]. It was reported, according to statistics from Microsoft, that more than 20% of all malware programs removed from Windows XP SP2 systems are stealth rootkits . A rootkit is a set of programs designed to conceal its presence in the system without the user’s knowledge or permission. Rootkits usually alter the behavior of the operating system in order to hide processes, files, kernel modules and other important information from the user. Due to the stealthy nature of rootkits, it is often difficult for users to detect their presence. Unlike malware such as viruses or worms, the goal of rootkits is not to cause damage to the system or to spread to other systems. However, malicious programs can exploit rootkit technologies in order to evade detection by hiding their presence. In addition, open source and ready-to-use rootkit applications are widely available on the Internet, making it possible for malware authors, who may not even understand how a rootkit works, to easily integrate rootkit technologies into their own code [35]. According to a report by McAfee , the use of stealth techniques in malware has grown by more than 600% in just three years. Generally, there are two types of rootkits: user-level rootkits and kernel-level rootkits, with the latter being more sophisticated and more powerful. The most advanced rootkits are able to subvert the system kernel . Therefore, it is crucial to find ways to effectively detect these rootkits. Researchers have developed tools, such as to detect hidden objects. They detect hiding behaviors by comparing the objects obtained from a high-level view with those extracted from low-level system information upon users’ requests or on a regular basis. To collect low-level information, most of these tools rely on specific kernel data structures that are used by the operating system primarily for auditing and bookkeeping purposes. These data structures are, however, often highly system dependent, and may change across different system versions or even patch levels. Moreover, if rootkit authors later find out about such data structures, they can alter their rootkits to manipulate these data structures and thus evade detection. Therefore, these detection tools might become futile when rootkits employ novel hiding techniques.

Free download research paper


Detecting Kernel level Rootkits using Data Structure Invariants

The Holes Problem in Wireless Sensor Networks CSE PROJECTS