Title :
Exploring Rootkit Detectors´ Vulnerabilities Using a New Windows Hidden Driver Based Rootkit
Author :
Tsaur, Woei-Jiunn ; Chen, Yuh-Chen
Author_Institution :
Dept. of Inf. Manage., Da-Yeh Univ., Changhua, Taiwan
Abstract :
More and more malware writers are taking advantage of rootkits to shield their illegal activities. Any computer security products that are not equipped with the anti-rootkit functionality may not identify this kind of threat. Thus, the role of a rootkit detector is becoming extremely important. Though much research has been focused on kernel data to develop schemes for finding malicious behaviors and undoubtedly they can effectively detect hooking based or virtual machine based rootkits in Linux or Windows, they cannot foresee what the result is when meeting unknown Windows DKOM (Direct Kernel Object Manipulation) based rootkits. In this paper, we develop a new Windows driver-hidden rootkit with five tricks based on DKOM, and have verified that it can successfully avoid a variety of well-known rootkit detectors. This paper spots the weaknesses of current detectors, and also discusses possible remedies and solution for detecting the proposed subtle rootkit. We expect that this research will contribute to the development of rootkit detection methods for Windows hidden driver based rootkits.
Keywords :
Linux; device drivers; invasive software; operating system kernels; Linux; Rootkit Detectors Vulnerabilities; Windows DKOM; Windows hidden driver based rootkit; anti-rootkit functionality; direct kernel object manipulation; malicious behaviors; malware writers; virtual machine; Computers; Data structures; Detectors; Driver circuits; Kernel; Malware; Windows; kernel mode; malware; rootkit; system security;
Conference_Titel :
Social Computing (SocialCom), 2010 IEEE Second International Conference on
Conference_Location :
Minneapolis, MN
Print_ISBN :
978-1-4244-8439-3
Electronic_ISBN :
978-0-7695-4211-9
DOI :
10.1109/SocialCom.2010.127
