Skip to main content
SpringerLink
Log in
Book cover

International Conference on Algorithms and Architectures for Parallel Processing

ICA3PP 2009: Algorithms and Architectures for Parallel Processing pp 202–213Cite as

A New Windows Driver-Hidden Rootkit Based on Direct Kernel Object Manipulation

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 5574))

Abstract

In 2005, Sony-BMG used a rootkit to conceal the digital right management software, which is aptly installed in consumers’ computers to prevent unauthorized copying. As a result, it lets the installed rootkit computers provide malware with excellent shelters to be capable of escaping anti-virus detection easily. We can observe that more and more malware writers are taking advantage of rootkits to shield their illegal activities. In this paper, we develop a new Windows driver-hidden rootkit with five tricks based on Direct Kernel Object Manipulation (DKOM), and have verified that it can successfully avoid well-known rootkit detectors. Our research goal is to find out the weaknesses of current detectors, and expect detector developers pay much attention to them and upgrade their products in order to identify the proposed new rookit. We affirm our efforts will be useful for stimulating detector developers to improve the current techniques of detecting Windows Driver-Hidden Rootkits.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Antirootkit (2009), http://www.antirootkit.com

  2. Buster (2009), http://www.trendmicro.com/

  3. Keong, C.: Defeating Kernel Native API Hookers by Direct Service Dispatch Table Restoration. Technical Report, SIG2 G-TEC Lab (October 2004)

    Google Scholar 

  4. DarkSpy (2009), http://www.antirootkit.com/software/DarkSpy.htm

  5. Felten, E.W., Halderman, J.A.: Digital Rights Management, Spyware, and Security. IEEE Security & Privacy 4(1), 18–23 (2006)

    Article  Google Scholar 

  6. Florio, E.: When Malware Meets Rootkits. White Paper, Symantec (December 2005)

    Google Scholar 

  7. FUrootkit (2009), http://www.rootkit.com/board_project_fused.php?did=proj12

  8. Kim, G.H., Spafford, E.H.: The Design and Implementation of Tripwire: A File System Integrity Checker. In: Proceedings of the 2nd ACM Conference on Computer and Communications Security, pp. 18–29 (1994)

    Google Scholar 

  9. Hunt, G., Brubacher, D.: Detours: Binary Interception of Win32 Functions. In: Proceedings of the Third USENIX Windows NT Symposium, pp. 135–143 (1999)

    Google Scholar 

  10. VICE (2009), http://www.rootkit.com/board_project_fused.php?did=proj20

  11. Gmer (2009), http://www.gmer.net/index.php

  12. Bulter, J., Undercoffer, J.L., Pinkston, J.: Hidden Process: the Implication for Intrusion Detection. In: Proceedings of the IEEE International Workshop on Information Assurance, pp. 116–121 (2003)

    Google Scholar 

  13. Rutkowska, J.: Introducing Stealth Malware Taxonomy. Technical Report, Invisiblethings (November 2006)

    Google Scholar 

  14. Chian, K., Lloyd, L.: A Case Study of the Rustock Rootkit and Spam Bot. In: Proceedings of USENIX First Workshop on Hot Topics in Understanding Bonets (2007)

    Google Scholar 

  15. IceSword (2009), http://pjf.blogcn.com/index.shtm

  16. McAfee, Rootkits, Part 1 of 3: The Growing Threat, White Paper, McAfee (April 2006)

    Google Scholar 

  17. NTrootkit (2008), http://www.rootkit.com/board_project_fused.php?did=proj11

  18. Beaucamps, P.: Advanced Polymorphic Techniques. International Journal of Computer Science 2(3), 194–205 (2007)

    Google Scholar 

  19. RootkitRevealer (2009), http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx

  20. Rootkit (2009), http://www.rootkit.com

  21. Tucan (2009), http://www.pandasecurity.com/

  22. Unhooker (2009), http://www.antirootkit.com/software/RootKit-Unhooker.htm

Download references

Author information

Authors and Affiliations

  1. Department of Information Management, Da-Yeh University, Taiwan, R.O.C.

    Woei-Jiunn Tsaur, Yuh-Chen Chen & Being-Yu Tsai

Authors
  1. Woei-Jiunn Tsaur
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuh-Chen Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Being-Yu Tsai
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science and Information Engineering, National Taiwan University of Science and Technology, 106, Taipei City, Taiwan, ROC

    Arrems Hua  & Shih-Liang Chang  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Tsaur, WJ., Chen, YC., Tsai, BY. (2009). A New Windows Driver-Hidden Rootkit Based on Direct Kernel Object Manipulation. In: Hua, A., Chang, SL. (eds) Algorithms and Architectures for Parallel Processing. ICA3PP 2009. Lecture Notes in Computer Science, vol 5574. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03095-6_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-03095-6_21

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-03094-9

  • Online ISBN: 978-3-642-03095-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation