Taking a lesson from stealthy rootkits

Ring, Sandra; Cole, Eric

doi:10.1109/msp.2004.57

Cited by 15 publications

(7 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This means that DLL-or EXE-files, which hold the binaries of the Windows API such as ntdll.dll, ntoskrnl.exe, etc., are replaced with malicious code [47]. An advanced level on reverse engineering is required to alter official binaries correctly without destroying necessary routines and data structures, especially when it comes to kernel binaries.…”

Section: Static Patchingmentioning

confidence: 99%

The Evolution of Process Hiding Techniques in Malware - Current Threats and Possible Countermeasures

Eresheim

Luh

Schrittwieser

2017

Journal of Information Processing

View full text Add to dashboard Cite

Rootkits constitute a significant threat to modern computing and information systems. Since their first appearance in the early 1990's they have steadily evolved, adapting to ever-improving security measures. The main feature rootkits have in common is the ability to hide their malicious presence and activities from the operating system and its legitimate users. In this paper we systematically analyze process hiding techniques routinely used by rootkit malware. We summarize the characteristics of different approaches and discuss their advantages and limitations. Furthermore, we assess detection and prevention techniques introduced in operating systems in response to the threat of hidden malware. The results of our assessments show that defenders still struggle to keep up with rootkit authors. At the same time we see a shift towards powerful VM-based techniques that will continue to evolve over the coming years.

show abstract

Section: Static Patchingmentioning

confidence: 99%

The Evolution of Process Hiding Techniques in Malware - Current Threats and Possible Countermeasures

Eresheim

Luh

Schrittwieser

2017

Journal of Information Processing

View full text Add to dashboard Cite

show abstract

“…While our definition implies that having access to the network device will not reveal the presence of the service to unauthorized users, it does not prevent users from exploiting other operating system tools. We note, however, that this is an orthogonal issue and a variety of techniques are known for this purpose [24,25].…”

Section: Security Conditionmentioning

confidence: 99%

SilentKnock: practical, provably undetectable authentication

Vasserman

Hopper

Tyra

2008

Int. J. Inf. Secur.

View full text Add to dashboard Cite

Port knocking is a technique to prevent attackers from discovering and exploiting vulnerable network services, while allowing access for authenticated users. Unfortunately, most work in this area suffers from a lack of a clear threat model or motivation. To remedy this, we introduce a formal security model for port knocking, show how previous schemes fail to meet our definition, and give a provably secure scheme. We also present SilentKnock, an implementation of this protocol that is provably secure under the assumption that AES and a modified version of MD4 are pseudorandom functions, and integrates seamlessly with existing applications.

show abstract

“…According to Ring and Cole (2004), there are two major categories of rootkits: user level and kernel level. User-level rootkits are often combined with Trojans into one category because they operate by placing a Trojan horse within applications.…”

Section: Historical Rootkit Categoriesmentioning

confidence: 99%

“…This lets administrators with access to the binary, or kernel, memory analyze it for suspicious string and symbol characteristics. They (administrators) can extract the strings and symbols and determine what attackers are doing to their systems" (Ring and Cole, 2004). Levine et al (2005) contends that identifying rootkits requires a more accurate system of classifying the different types.…”

Section: Prevention Detection and Removalmentioning

confidence: 99%

Rootkits and Their Effects on Information Security

Beegle

2007

Information Systems Security

View full text Add to dashboard Cite

A rootkit is cloaked software that infiltrates an operating system or a database with the intention to escape detection, resist removal, and perform a specific operation. Many rootkits are designed to invade the "root," or kernel, of the program, and therefore operate without announcing their presence to the owner of the computer. Although some rootkits are written with noble intentions (e.g., to strengthen an anti-virus package), true rootkits have a malicious purpose. A rootkit infection can render a compromised computer system vulnerable to attacks and corruption.Rootkits are named for their origin in Linux systems, but the number of rootkits that attack Microsoft operating systems has recently proliferated. Not only are rootkits difficult to detect and assess, but at times the only effective way to remove them is to do a clean installation of the entire operating system. Recent discoveries of rootkits in other venues prove that the problem is spreading and is a major concern for administrators in information security.This paper presents a brief history of the development of rootkits and their possible effects. Prominent cases involving rootkits are described. The paper concludes with an overview of methods to prevent rootkits and to (hopefully) eradicate one that has infected an operating system.

show abstract

Taking a lesson from stealthy rootkits

Cited by 15 publications

References 1 publication

The Evolution of Process Hiding Techniques in Malware - Current Threats and Possible Countermeasures

The Evolution of Process Hiding Techniques in Malware - Current Threats and Possible Countermeasures

SilentKnock: practical, provably undetectable authentication

Rootkits and Their Effects on Information Security

Contact Info

Product

Resources

About