Multi-aspect profiling of kernel rootkit behavior

Riley, Ryan; Jiang, Xuxian; Xu, Dongyan

doi:10.1145/1519065.1519072

Cited by 64 publications

(54 citation statements)

References 20 publications

(19 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We propose that all future malware architectures should be based on the architecture presented in figure 2 below. This architecture is very similar to current ongoing research in [11] [13] [10] [38] that propose the use of hypervisors and virtualization techniques to deal with rootkits. Such an architecture would significantly reduce the chance that malware would be able to disable or compromise the antimalware program because the anti-malware program would be, at all times, executing at a higher privilege level than the malware.…”

Section: Addressing the Vulnerabilitiesmentioning

confidence: 71%

“…Rootkits are designed to fundamentally subvert the OS kernel and are capable of obtaining and maintaining unrestricted control and access within the compromised system without even being detected by antimalware software [14]. Rootkits can also hide other malicious software or activities such as open network connections, running processes and files on disk [10][11] [12]. Long life time rootkits are most likely to attempt to hide [11].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Implementing rootkits to address operating system vulnerabilities

Corregedor

Solms

2011

2011 Information Security for South Africa

View full text Add to dashboard Cite

Abstract-Statistics show that although malware detection techniques are detecting and preventing malware, they do not guarantee a 100% detection and / or prevention of malware. This is especially the case when it comes to rootkits that can manipulate the operating system such that it can distribute other malware, hide existing malware, steal information, hide itself, disable anti-malware software etc all without the knowledge of the user. This paper will demonstrate the steps required in order to create two rootkits.We will demonstrate that by implementing rootkits or any other type of malware a researcher will be able to better understand the techniques and vulnerabilities used by an attacker. Such information could then be useful when implementing anti-malware techniques.

show abstract

Section: Addressing the Vulnerabilitiesmentioning

confidence: 71%

Section: Introductionmentioning

confidence: 99%

Implementing rootkits to address operating system vulnerabilities

Corregedor

Solms

2011

2011 Information Security for South Africa

View full text Add to dashboard Cite

show abstract

“…invoked system calls and its arguments. Other methods, such as those proposed in [21,22] not only observe objects interactions, but also, profile the interaction patterns such as evolving pattern of a malicious object's data structure in dynamic kernel memory. Profiled patterns are further used to derive a malware detection signature.…”

Section: Interrelation Between Observed Objectsmentioning

confidence: 99%

Towards Automated Malware Behavioral Analysis and Profiling for Digital Forensic Investigation Purposes

Shosha

James

Hannaway

et al. 2013

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

View full text Add to dashboard Cite

Abstract. Digital forensic investigators commonly use dynamic malwareanalysis methods to analyze a suspect executable found during a post-mortem analysis of the victim's computer. Unfortunately, currently proposed dynamic malware analysis methods and sandbox solutions have a number of limitations that may lead the investigators to ambiguous conclusions. In this research, the limitations of the use of current dynamic malware analysis methods in digital forensic investigations are highlighted. In addition, a method to profile dynamic kernel memory to complement currently proposed dynamic profiling techniques is proposed. The proposed method will allow investigators to automate the identification of malicious kernel objects during a post-mortem analysis of the victim's acquired memory. The method is implemented in a prototype malware analysis environment to automate the process of profiling malicious kernel objects and assist malware forensic investigation. Finally, a case study is given to demonstrate the efficacy of the proposed approach.

show abstract

“…In our implementation, we further perform execution profiling of the identified malicious code. For example, in our experiments with kernel rootkits (Section 4.2), we leverage it and apply the combat tracking technique described in PoKeR [34] to profile rootkit execution within a given time window ([ST, EN]). In particular, for a subset of instructions identified thus, all memory reads and writes and their contents, are recorded in a log on the host OS.…”

Section: Analysis Modulesmentioning

confidence: 99%

Time-Traveling Forensic Analysis of VM-Based High-Interaction Honeypots

Srinivasan

Jiang

2012

Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

Self Cite

View full text Add to dashboard Cite

Abstract. Honeypots have proven to be an effective tool to capture computer intrusions (or malware infections) and analyze their exploitation techniques. However, forensic analysis of compromised honeypots is largely an ad-hoc and manual process. In this paper, we propose Timescope, a system that applies and extends recent advances in deterministic record and replay to high-interaction honeypots for extensible, fine-grained forensic analysis. In particular, we propose and implement a number of systematic analysis modules in Timescope, including contamination graph generator, transient evidence recoverer, shellcode extractor and break-in reconstructor, to facilitate honeypot forensics. These analysis modules can "travel back in time" to investigate various aspects of computer intrusions or malware infections during different execution time windows. We have developed Timescope based on the open-source QEMU virtual machine monitor and the evaluation with a number of real malware infections shows the practicality and effectiveness of Timescope.

show abstract

Multi-aspect profiling of kernel rootkit behavior

Cited by 64 publications

References 20 publications

Implementing rootkits to address operating system vulnerabilities

Implementing rootkits to address operating system vulnerabilities

Towards Automated Malware Behavioral Analysis and Profiling for Digital Forensic Investigation Purposes

Time-Traveling Forensic Analysis of VM-Based High-Interaction Honeypots

Contact Info

Product

Resources

About