Jump to content
Nytro

UNVEILING THE KERNEL: ROOTKIT DISCOVERY

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

UNVEILING THE KERNEL:

ROOTKIT DISCOVERY USING

SELECTIVE AUTOMATED KERNEL

MEMORY DIFFERENCING

Ahmed Zaki & Benjamin Humphrey

Sophos, UK

Email {ahmed.zaki, benjamin.humphrey}@

sophos.com

ABSTRACT

As an increasing number of automated malware analysis systems

become mainstream, the emphasis on the relevance of the data

extracted from the analysis task increases. Conceptually,

automated malware analysis systems provide information about

a sample and also identify modifi cations to a computer system

induced by the sample. Traditionally, the focus of such analysis

systems has primarily been on monitoring process, disk and

network-level behaviour with varying levels of granularity.

While providing a varied set of information, these systems offer

limited ability to identify and classify rootkits. The very nature

of rootkits makes them hard to classify (and in some cases even

detect) using these scanning techniques. Kernel memory

modifi cations can indicate that samples are trying to conceal

information or hijack execution paths, thus exhibiting malicious

behaviour. In an environment with a large throughput of analysis

jobs, the need arises for an effi cient and accurate way to identify

such complex threats that could otherwise be misclassifi ed or

pass unnoticed. We present a system for identifying rootkit

samples that is based on automated analysis. In this system we

recognize the performance and memory constraints of a highthroughput

environment; instead of monitoring modifi cations to

the whole memory, we capture changes to data structures and

memory regions that, on a Microsoft Windows operating system,

are known to have been targeted by rootkits in the past. We

explain the reasons behind the design decisions and how they

have refl ected on identifying different classes of rootkits. In our

research, we also explore the effectiveness of using this model as

a standalone component to identify malicious behaviour. In order

to do this, we run a large set of known clean versus malicious

fi les to identify traits that could be indicative of malicious

activity.

Download: https://www.virusbtn.com/pdf/conference/vb2014/VB2014-ZakiHumphrey.pdf

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...