Abstract
In 2005, Sony-BMG used a rootkit to conceal the digital right management software, which is aptly installed in consumers’ computers to prevent unauthorized copying. As a result, it lets the installed rootkit computers provide malware with excellent shelters to be capable of escaping anti-virus detection easily. We can observe that more and more malware writers are taking advantage of rootkits to shield their illegal activities. In this paper, we develop a new Windows driver-hidden rootkit with five tricks based on Direct Kernel Object Manipulation (DKOM), and have verified that it can successfully avoid well-known rootkit detectors. Our research goal is to find out the weaknesses of current detectors, and expect detector developers pay much attention to them and upgrade their products in order to identify the proposed new rookit. We affirm our efforts will be useful for stimulating detector developers to improve the current techniques of detecting Windows Driver-Hidden Rootkits.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Antirootkit (2009), http://www.antirootkit.com
Buster (2009), http://www.trendmicro.com/
Keong, C.: Defeating Kernel Native API Hookers by Direct Service Dispatch Table Restoration. Technical Report, SIG2 G-TEC Lab (October 2004)
DarkSpy (2009), http://www.antirootkit.com/software/DarkSpy.htm
Felten, E.W., Halderman, J.A.: Digital Rights Management, Spyware, and Security. IEEE Security & Privacy 4(1), 18–23 (2006)
Florio, E.: When Malware Meets Rootkits. White Paper, Symantec (December 2005)
FUrootkit (2009), http://www.rootkit.com/board_project_fused.php?did=proj12
Kim, G.H., Spafford, E.H.: The Design and Implementation of Tripwire: A File System Integrity Checker. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, pp. 18–29 (1994)
Hunt, G., Brubacher, D.: Detours: Binary Interception of Win32 Functions. In: Proceedings of the Third USENIX Windows NT Symposium, pp. 135–143 (1999)
VICE (2009), http://www.rootkit.com/board_project_fused.php?did=proj20
Gmer (2009), http://www.gmer.net/index.php
Bulter, J., Undercoffer, J.L., Pinkston, J.: Hidden Process: the Implication for Intrusion Detection. In: Proceedings of the IEEE International Workshop on Information Assurance, pp. 116–121 (2003)
Rutkowska, J.: Introducing Stealth Malware Taxonomy. Technical Report, Invisiblethings (November 2006)
Chian, K., Lloyd, L.: A Case Study of the Rustock Rootkit and Spam Bot. In: Proceedings of USENIX First Workshop on Hot Topics in Understanding Bonets (2007)
IceSword (2009), http://pjf.blogcn.com/index.shtm
McAfee, Rootkits, Part 1 of 3: The Growing Threat, White Paper, McAfee (April 2006)
NTrootkit (2008), http://www.rootkit.com/board_project_fused.php?did=proj11
Beaucamps, P.: Advanced Polymorphic Techniques. International Journal of Computer Science 2(3), 194–205 (2007)
RootkitRevealer (2009), http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx
Rootkit (2009), http://www.rootkit.com
Tucan (2009), http://www.pandasecurity.com/
Unhooker (2009), http://www.antirootkit.com/software/RootKit-Unhooker.htm
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Tsaur, WJ., Chen, YC., Tsai, BY. (2009). A New Windows Driver-Hidden Rootkit Based on Direct Kernel Object Manipulation. In: Hua, A., Chang, SL. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2009. Lecture Notes in Computer Science, vol 5574. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03095-6_21
Download citation
DOI: https://doi.org/10.1007/978-3-642-03095-6_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03094-9
Online ISBN: 978-3-642-03095-6
eBook Packages: Computer ScienceComputer Science (R0)