Skip to main content
SpringerLink
Log in

A Forced Sampled Execution Approach to Kernel Rootkit Identification

  • Conference paper
Recent Advances in Intrusion Detection (RAID 2007)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4637))

Included in the following conference series:

Abstract

Kernel rootkits are considered one of the most dangerous forms of malware because they reside inside the kernel and can perform the most privileged operations on the compromised machine. Most existing kernel rootkit detection techniques attempt to detect the existence of kernel rootkits, but cannot do much about removing them, other than booting the victim machine from a clean operating system image and configuration. This paper describes the design, implementation and evaluation of a kernel rootkit identification system for the Windows platform called Limbo, which prevents kernel rootkits from entering the kernel by checking the legitimacy of every kernel driver before it is loaded into the operating system. Limbo determines whether a kernel driver is a kernel rootkit based on its binary contents and run-time behavior. To expose the execution behavior of a kernel driver under test, Limbo features a forced sampled execution approach to traverse the driver’s control flow graph. Through a comprehensive characterization study of current kernel rootkits, we derive a set of run-time features that can best distinguish between legitimate and malicious kernel drivers. Applying a Naive Bayes classification algorithm on this chosen feature set, the first Limbo prototype is able to achieve 96.2% accuracy for a test set of 754 kernel drivers, 311 of which are kernel rootkits.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Altholz, N., Stevenson, L.: Rootkits for Dummies. John Wiley and Sons Ltd, Chichester (2006)

    Google Scholar 

  2. Avira: Avira rootkit detection, http://www.antirootkit.com/software/Avira-Rootkit-Detection.htm

  3. Butler, J.: Vice - catch the hookers! In: Conference Proceedings of Black Hat 2004 (July 2004)

    Google Scholar 

  4. Butler, J., Sparks, S.: Raising the bar for windows rootkit detection. Phrack 63 (July 2005)

    Google Scholar 

  5. Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-Aware Malware Detection. In: Proceedings of IEEE Symposium on Security and Privacy (Oakland), IEEE Computer Society Press, Los Alamitos (2005)

    Google Scholar 

  6. Cogswell, B., Russinovich, M.: Rootkitrevealer v1.71 (November 2006), http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx

  7. Corporation, F.-S.: F-secure blacklight rootkit elimination technology, http://securityticker.blogspot.com/2006/05/f-secure-backlight.html

  8. Corporation, S.: Norton antivirus, http://www.symantec.com/home_homeoffice/products/overview

  9. Corporation, S.: Internet security threat report (September 2006), http://www.symantec.com/enterprise/threatreport/index.jsp

  10. Flake, H.: Automated reverse engineering. In: Proceedings of Black Hat 2004 (July 2004)

    Google Scholar 

  11. Fuzen: Fu rootkit, http://www.rootkit.com/project.php

  12. Hoglund, G., Butler, J.: The companion website of the rootkit book, http://www.rootkit.com

  13. Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2005)

    Google Scholar 

  14. Karim, M., Walenstein, A., Lakhotia, A., Parida, L.: Malware phylogeny generation using permutations of code. European Research Journal of Computer Virology (2005)

    Google Scholar 

  15. Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based spyware detection1. In: Proceedings of Usenix Security Symposium (2006)

    Google Scholar 

  16. Kruegel, C., Robertson, W., Vigna, G.: Detecting kernel-level rootkits through binary analysis. In: Yew, P.-C., Xue, J. (eds.) ACSAC 2004. LNCS, vol. 3189, Springer, Heidelberg (2004)

    Google Scholar 

  17. Labs, M.A.: Rootkit detective, http://vil.nai.com/vil/stinger/

  18. Livingston, B.: Icesword author speaks out on rootkits, http://itmanagement.earthweb.com/columns/executive_tech/article.php/3512621

  19. Micro, T.: Rootkitbuster, http://www.trendmicro.com/download/rbuster.asp

  20. Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: Proceedings of 2007 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2007)

    Google Scholar 

  21. Petroni, N., Fraser, T., Molina, J., Arbaugh, W.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of Usenix Security Symposium (August 2004)

    Google Scholar 

  22. Research, P.: Rootkit cleaner, http://research.pandasoftware.com/blogs/research/archive/2006/12/14/Rootkit-cleaner.aspx

  23. Rutkowska, J.: Red pill or how to detect vmm using (almost) one cpu instruction, http://www.invisiblethings.org/papers/redpill.html

  24. Rutkowska, J.: Thoughts about cross-view based rootkit detection (June 2005), http://www.invisiblethings.org/papers/crossview_detection_thoughts.pdf

  25. Rutkowska, J.: Rootkits detection on windows systems. In: Proceedings of ITUnderground Conference 2004 (October 2004)

    Google Scholar 

  26. Rutkowska, J.: System virginity verifier: Defining the roadmap for malware detection on windows systems (September 2005), http://www.invisiblethings.org/papers/hitb05_virginity_verifier.ppt

  27. Sabin, T.: Comparing binaries with graph isomorphisms, http://www.bindview.com/Services/Razor/Papers/2004/comparing_binaries.cfm

  28. Sophos: Sophos anti-rootkit, http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

  29. Stamp, M., Wong, W.: Hunting for metamorphic engines. Journal in Computer Virology 2(3) (December 2006)

    Google Scholar 

  30. Wang, Y., Beck, D., Roussev, R., Verbowski, C.: Detecting stealth software with strider ghostbuster. In: Proc. Int. Conf. on Dependable Systems and Networks (DSN-DCCS) (June 2005)

    Google Scholar 

  31. Wang, Y., Roussev, R., Verbowski, C., Johnson, A., Wu, M., Huang, Y., Kuo, S.: Gatekeeper: Monitoring auto-start extensibility points (aseps) for spyware management. In: Proceedings of Usenix Large Installation System Administration Conference (LISA) (2004)

    Google Scholar 

  32. Wikipedia: Naive bayes classifier, http://en.wikipedia.org/wiki/Naive_Bayes_classifier

Download references

Author information

Authors and Affiliations

  1. Core Research Group, Symantec Research Laboratories,  

    Jeffrey Wilhelm & Tzi-cker Chiueh

Authors
  1. Jeffrey Wilhelm
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tzi-cker Chiueh
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Christopher Kruegel Richard Lippmann Andrew Clark

Rights and permissions

Reprints and permissions

Copyright information

© 2007 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Wilhelm, J., Chiueh, Tc. (2007). A Forced Sampled Execution Approach to Kernel Rootkit Identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds) Recent Advances in Intrusion Detection. RAID 2007. Lecture Notes in Computer Science, vol 4637. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-74320-0_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-74320-0_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-74319-4

  • Online ISBN: 978-3-540-74320-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation