Abstract
The main purpose of this article is to present a secure engine which is specifically designed for a security analyst when studying rootkits and all kinds of programs which interact at a deep level with the operating system, including Anti-Virus, Personal Firewall and HIPS programs. State-of-the-Art algorithms for rootkit detection are pre- sented in this paper. Forensic techniques to monitor the system’s critical components and advanced heuristics are also used. This survey is based on a proof-of-concept human analysis framework which puts forward a reliable system for automatically gaining information about a rootkit and its interaction with the OS executive, but focuses on human decision as a detection process without the same limitations or constraints as product-oriented anti-rootkit programs. We use the new point of view provided by this framework to take a fresh look at heuristics and forensics which are currently used by rootkit detectors.
Article PDF
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Avoid common mistakes on your manuscript.
References
Arbaugh, W.A., Fraser, J.T., Molina, J., Petroni, N.L.: Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor. Available at: http://www.usenix.org/events/sec04/tech/full_papers/petroni/ petroni_html/main.html, (2004)
Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: a tool for analyzing malware. In: proceedings of the 15th EICAR Conference, Hamburg, Germany, April 29 - May 3, 2006. In Journal in computer Virology, EICAR 2006 Special Issue, V. Broucek et al. Editor (2006)
Bellard, F.: QEMU, a fast and portable dynamic translator. In: Proceedings of the 2005 USENIX Conference (2005)
BlackLight.: Available at: http://www.f-secure.com/blacklight/, (2006)
BootKit.: Available at: http://www.rootkit.com/vault/vipinkumar/, (2007)
Butler, J.: RAIDE: rootkit analysis identification elimination. Available at: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Silberman-Butler.pdf, (2006)
Butler, J., Hoglund, G.: Rootkits: subverting the Windows kernel. Addison Wesley, ISBN 0-321-29431-9 (2006)
Butler, J., Hoglund, G.: VICE - Catch the hookers! (Plus new rootkit techniques). Available at http://www.rootkit.com/, (2006)
Cogswell, C., Russinovich, M.: RootkitRevealer. Available at: http://www.sysinternals.com/, (2006)
Elias: Detect if your program is running inside a Virtual Machine. 14 Mars 2005. Retrieved from: http://lgwm.org (Elias homepage), (2005)
Ferrie, P.: Attacks on virtual machine emulator. In: proceedings of AVAR 2006 Conference, Auckland, New Zealand, December 3–5, (2006)
Filiol, E.: Introduction to computer viruses: from theory to applications. IRIS International Series, Springer, Heidelberg (2005)
Filiol, F.: Malware pattern scanning schemes secure against black-box analysis. In: proceedings of the 15th EICAR Conference, Hamburg, Germany, April 29 - May 3, 2006, and In: Broucek, V., Turner, P. (eds.) Eicar 2006 Special Issue, J. Comput. Virol. 2(1), pp. 35–50 (2006)
Filiol, E.: Techniques virales avancées, IRIS Series, Springer Verlag France, January 2007. An English translation is pending (due mid 2007)
Filiol, F., Josse, S.: A statistical model for undecidable viral detection. In: proceedings of the 16th EICAR Conference, Budapest, Hungary, May 5 - 8, 2007. In: Broucek, V. (ed.) Eicar 2007 Special Issue, J Comput Virol 3(2), (2007)
Fu.: Fu rootkit. Available at: https://www.rootkit.com/vault/fuzen_op/, (2006)
GhostBuster.: the Strider GhostBuster Project. Avalaible at: http://research.microsoft.com/rootkit/, (2006)
Heasman, J.: Implementing and detecting an ACPI BIOS Rootkit, Black Hat Europe (2006)
Heasman, J.: Implementing and detecting a PCI rootkit, Available at: http://www.ngssoftware.com/, (2006)
IceSword.: IceSword, Available at: http://xfocus.net/tools/ 200509/1085.html, (2006)
IntelVT.: Intel Virtualization Technology, Available at: http://www.intel.com/technology/virtualization/, (2007)
Josse, S.: Secure and advanced unpacking using computer emulation. In: proceedings of the AVAR Conference, Auckland, New Zealand, December 3–5, (2006)
KPP.: Kernel Patch Protection: Frequently asked questions, Available at: http://www.microsoft.com/whdc/driver/kernel/ 64bitpatch_FAQ.mspx, (2006)
KprocCheck.: SIG∧2 KprocCheck, Available at: http://www. security.org.sg/, (2006)
Permeh, R., Soeder, D.: eEye BootRoot: A Basis for Bootstrap-Based Windows Kernel Code, Available at: http://www.blackhat. com/presentations/bh-usa-05/bh-us-05-soeder.pdf, (2006)
Russinovich, M.E., Solomon, D.A.: Inside Microsoft Windows 2000, 3rd edn. Microsoft Press, ISBN 0-7356-1021-5 (2000)
Russinovich, M.E., Solomon, D.A.: Microsoft windows internals, 4th edn: Microsoft Windows Server 2003, Windows XP, and Windows 2000, (2004)
Rutkowska, J.: Red Pill... or how to detect VMM using (almost) one CPU instruction. Retrieved from: http://www. invisiblethings.org/papers/,(2004)
Rutkowska, J.: Detecting Windows Server Compromises with Patchfinder 2. Retrieved from: http://www.invisiblethings. org/papers/, (2004)
Rutkowska, J.: System virginity verifier, defining the roadmap for malware detection on windows system. Hack in the box security conference, September 28th −29th 2005, Kuala Lumpur, Malaysia (2005)
Rutkowska, J.: Subverting VistaTM kernel for fun and profit. SyScan’06 July 21st, 2006, Singapore & Black Hat Briefings 2006 August 3rd, 2006, Las Vegas (2006)
Szor, P.: The art of computer virus research and defense, Addison-Wesley, ISBN 0-321-30454-3 (2005)
Zombie.: Zombie. VMWare has you. Retrieved from: http://vx. netlux.org/, (2001)
Zeichick, A.: Coming soon to VMware, microsoft, and Xen: AMD virtualization technology solves virtualization challenges, Available at: http://www;devx.com/amd/Article/30186/, (2005)
Zhou, M., Zuo, Z.: Some further theoretical results about computer viruses, In: The computer journal, vol. 47, No6 (2004)
Zovi, D.A.D.: Harware virtualization rootkits. Black Hat Federal 2006, Washington D.C., January 25th (2006)
Author information
Authors and Affiliations
Corresponding author
Additional information
Sébastien Josse is an I.T. consultant at Silicomp-AQL Security Evaluation Lab and also a Ph.D student EDX Polytechnique Doctoral School within the ESAT Virology and Cryptology Lab in Rennes sebastien.josse@esat.terre.defense.gouv.fr.
Rights and permissions
About this article
Cite this article
Josse, S. Rootkit detection from outside the Matrix. J Comput Virol 3, 113–123 (2007). https://doi.org/10.1007/s11416-007-0045-1
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-007-0045-1