Application of a methodology to characterize rootkits retrieved from honeynets

Techniques and methods currently exist to detect if a certain type of rootkit has exploited a computer systems. However, these current techniques and methods can only indicate that a system has been exploited by a rootkit. We are currently developing a methodology to indicate if a rootkit is previously known or if it is a modified or entirely new rootkit. We present in this paper an application of our methodology against a previously unseen rootkit that was collected from the Georgia Tech Honeynet. We conduct our analysis process against this rootkit and are able to identify specific characteristics for subsequent detections of this rootkit. This ability will provide system administrators, researchers, and security personnel with the information necessary in order to take the best possible recovery actions. This may also help to detect and fingerprint additional instances and prevent further security instances involving rootkits.