Abstract
Kernel rootkits are considered one of the most dangerous forms of malware because they reside inside the kernel and can perform the most privileged operations on the compromised machine. Most existing kernel rootkit detection techniques attempt to detect the existence of kernel rootkits, but cannot do much about removing them, other than booting the victim machine from a clean operating system image and configuration. This paper describes the design, implementation and evaluation of a kernel rootkit identification system for the Windows platform called Limbo, which prevents kernel rootkits from entering the kernel by checking the legitimacy of every kernel driver before it is loaded into the operating system. Limbo determines whether a kernel driver is a kernel rootkit based on its binary contents and run-time behavior. To expose the execution behavior of a kernel driver under test, Limbo features a forced sampled execution approach to traverse the driver’s control flow graph. Through a comprehensive characterization study of current kernel rootkits, we derive a set of run-time features that can best distinguish between legitimate and malicious kernel drivers. Applying a Naive Bayes classification algorithm on this chosen feature set, the first Limbo prototype is able to achieve 96.2% accuracy for a test set of 754 kernel drivers, 311 of which are kernel rootkits.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Altholz, N., Stevenson, L.: Rootkits for Dummies. John Wiley and Sons Ltd, Chichester (2006)
Avira: Avira rootkit detection, http://www.antirootkit.com/software/Avira-Rootkit-Detection.htm
Butler, J.: Vice - catch the hookers! In: Conference Proceedings of Black Hat 2004 (July 2004)
Butler, J., Sparks, S.: Raising the bar for windows rootkit detection. Phrack 63 (July 2005)
Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-Aware Malware Detection. In: Proceedings of IEEE Symposium on Security and Privacy (Oakland), IEEE Computer Society Press, Los Alamitos (2005)
Cogswell, B., Russinovich, M.: Rootkitrevealer v1.71 (November 2006), http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
Corporation, F.-S.: F-secure blacklight rootkit elimination technology, http://securityticker.blogspot.com/2006/05/f-secure-backlight.html
Corporation, S.: Norton antivirus, http://www.symantec.com/home_homeoffice/products/overview
Corporation, S.: Internet security threat report (September 2006), http://www.symantec.com/enterprise/threatreport/index.jsp
Flake, H.: Automated reverse engineering. In: Proceedings of Black Hat 2004 (July 2004)
Fuzen: Fu rootkit, http://www.rootkit.com/project.php
Hoglund, G., Butler, J.: The companion website of the rootkit book, http://www.rootkit.com
Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2005)
Karim, M., Walenstein, A., Lakhotia, A., Parida, L.: Malware phylogeny generation using permutations of code. European Research Journal of Computer Virology (2005)
Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based spyware detection1. In: Proceedings of Usenix Security Symposium (2006)
Kruegel, C., Robertson, W., Vigna, G.: Detecting kernel-level rootkits through binary analysis. In: Yew, P.-C., Xue, J. (eds.) ACSAC 2004. LNCS, vol. 3189, Springer, Heidelberg (2004)
Labs, M.A.: Rootkit detective, http://vil.nai.com/vil/stinger/
Livingston, B.: Icesword author speaks out on rootkits, http://itmanagement.earthweb.com/columns/executive_tech/article.php/3512621
Micro, T.: Rootkitbuster, http://www.trendmicro.com/download/rbuster.asp
Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: Proceedings of 2007 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2007)
Petroni, N., Fraser, T., Molina, J., Arbaugh, W.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of Usenix Security Symposium (August 2004)
Research, P.: Rootkit cleaner, http://research.pandasoftware.com/blogs/research/archive/2006/12/14/Rootkit-cleaner.aspx
Rutkowska, J.: Red pill or how to detect vmm using (almost) one cpu instruction, http://www.invisiblethings.org/papers/redpill.html
Rutkowska, J.: Thoughts about cross-view based rootkit detection (June 2005), http://www.invisiblethings.org/papers/crossview_detection_thoughts.pdf
Rutkowska, J.: Rootkits detection on windows systems. In: Proceedings of ITUnderground Conference 2004 (October 2004)
Rutkowska, J.: System virginity verifier: Defining the roadmap for malware detection on windows systems (September 2005), http://www.invisiblethings.org/papers/hitb05_virginity_verifier.ppt
Sabin, T.: Comparing binaries with graph isomorphisms, http://www.bindview.com/Services/Razor/Papers/2004/comparing_binaries.cfm
Sophos: Sophos anti-rootkit, http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html
Stamp, M., Wong, W.: Hunting for metamorphic engines. Journal in Computer Virology 2(3) (December 2006)
Wang, Y., Beck, D., Roussev, R., Verbowski, C.: Detecting stealth software with strider ghostbuster. In: Proc. Int. Conf. on Dependable Systems and Networks (DSN-DCCS) (June 2005)
Wang, Y., Roussev, R., Verbowski, C., Johnson, A., Wu, M., Huang, Y., Kuo, S.: Gatekeeper: Monitoring auto-start extensibility points (aseps) for spyware management. In: Proceedings of Usenix Large Installation System Administration Conference (LISA) (2004)
Wikipedia: Naive bayes classifier, http://en.wikipedia.org/wiki/Naive_Bayes_classifier
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wilhelm, J., Chiueh, Tc. (2007). A Forced Sampled Execution Approach to Kernel Rootkit Identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds) Recent Advances in Intrusion Detection. RAID 2007. Lecture Notes in Computer Science, vol 4637. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74320-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-540-74320-0_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-74319-4
Online ISBN: 978-3-540-74320-0
eBook Packages: Computer ScienceComputer Science (R0)