Detecting stealth software with Strider GhostBuster

Proceedings of the International Conference on Dependable Systems and Networks

Volumn , Issue , 2005, Pages 368-377

  Wang, Yi Min ^a   Beck, Doug ^a   Vo, Binh ^a   Roussev, Roussi ^a   Verbowski, Chad ^a  

^a MICROSOFT RESEARCH   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER SOFTWARE - STRIDER GHOSTBUSTER; MALWARES; RESOURCE HIDING; STEALTH SOFTWARE;

COMPUTER CRIME; COMPUTER PROGRAMMING; INTERNET; RESOURCE ALLOCATION; USER INTERFACES;

COMPUTER SOFTWARE;

EID: 27544461178     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (71)

1. [AID] Working with the AppInit_DLLs registry value, http://support. microsoft.com/kb/q197571/.
2. [B99] D. Brumley, "Invisible Intruders: Rootkits In Practice," ;login: The Magazine of USENIX and SAGE, http://www.usenix.org/publications/ login/1999-9/features/rootkits.html, 1999.
3. [BNG+04] A. Bohra, I. Neamtiu, P. Gallard, F. Sultan, and L. Iftode, "Remote Repair of Operating System State Using Backdoors," in Proc. Int. Conf. on Autonomic Computing (ICAC), pp. 256-263, May 2004.
4. [D] Chapter 7 - Disk, File System, and Backup Utilities, Microsoft TechNet, http://www.microsoft.com/technet/prodtechnol/winntas/support/utilitys. mspx.
5. [HB99] Galen Hunt and Doug Brubacher. "Detours: Binary Interception of Win32 Functions," in Proc. the 3rd Usenix Windows NT Symposium, pp. 135-143, July 1999 (http://research.microsoft.com/sn/detours/).
6. [IFS] IFS Kit - Installable File System Kit, http://www.microsoft.com/ whdc/devtools/ifskit/default.mspx.
7. [J01] K. Jones, "Loadable kernel modules," ;login: The Magazine of USENIX and SAGE, http://www.usenix.org/Publications/login/2001-11/pdfs/ jones2.pdf, Nov. 2001.
8. [KJ03] Rick Kennell and Leah H. Jamieson, "Establishing the Genuinity of Remote Computer Systems," In Proc. USENIX Security Symposium, August 2003
9. nd ACM Conf. on Computer and Communications Security, pp. 18-29, Nov. 1994.
10. [MSDN] Naming a File, http://msdn.microsoft.com/library/default.asp?url=/ library/enus/fileio/base/naming_ a_file.asp.
11. [PE] Process Explorer, http:/www.sysinternals.com/ntw2k/freeware/procexp. shtml.
12. [PF] How to Disable the Prefetcher Component in Windows XP, http://support.microsoft.com/?kbid=307498.
13. [PFM+04] Nick L. Petroni, Jr., Timothy Fraser, Jesus Molina, and William A. Arbaugh, "Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor," in Proc. Usenix Security Symposium, Aug. 2004
14. [R00] John Robbins, Debugging Applications, 2000.
15. [RIS] Remote Installation Services, http://www.microsoft.com/windows2000/ en/datacenter/help/default.asp?url=/windows2000/en/datacenter/help/ sag_RIS_Default_topnode.htm.
16. [SPDK04] A. Seshadri, A. Perrig, L. van Doom, and P. Khosla, "SWATT: SoftWare-based ATTestation for Embedded Devices," in Proc. IEEE Symp. on Security and Privacy, May 2004
17. [SR] Windows XP System Restore, http://msdn.microsoft.com/library/ default.asp?url=/library/enus/dnwxp/html/windowsxpsystemrestore.asp.
18. [SRM] System Restore Monitored File Extensions, http.//msdn.microsoft. com/library/default.asp?url=/library/enus/sr/sr/monitored_file_extensions.asp.
19. [SR00] D. A. Solomon and M. E. Russinovich, Inside Microsoft Windows 2000, Third Edition, 2000.
20. [W04] "Strider GhostBuster: Why It's A Bad Idea For Stealth Software To Hide Files," Yi-Min Wang, Usenix Security Symposium, Work-in-Progress Report presentation, http://www.usenix.org/events/sec04/tech/wips/, Aug. 2004.
21. [WPE] Microsoft Windows Preinstallation Environment (Windows PE), http://www.microsoft.com/licensing/programs/sa/support/winpc.mspx.
22. [WR+04] Yi-Min Wang, et al., "AskStrider: What Has Changed on My Machine Lately?", Microsoft Research Technical Report MSR-TR-2004-03, Jan. 2004.
23. [WRV+04] Yi-Min Wang, Roussi Roussev, Chad Verbowski, and Aaron Johnson, "Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management," in Proc. Usenix LISA, Nov. 2004.
24. [WVD+03] Yi-Min Wang, et al., "STRIDER: A Black-box, State-based Approach to Change and Configuration Management and Support," Proc. Usenix Large Installation Systems Administration (LISA) Conference, pp. 159-171, October 2003.
25. [WVS03] Yi-Min Wang, Chad Verbowski, and Daniel R. Simon, "Persistent-state Checkpoint Comparison for Troubleshooting Configuration Failures", in Proc. IEEE DSN, June 2003.
26. [WVR+04] Yi-Min Wang, Binh Vo, Roussi Roussev, Chad Verbowski, and Aaron Johnson, "Strider GhostBuster: Why It's A Bad Idea For Stealth Software To Hide Files," Microsoft Research Technical Report MSR-TR-2004-71, July 2004.
27. [XA04] "Alarm growing over bot software," (DOS attacks), CNET News.com, http://news.zdnet.com/2100-1009_22-5202236.html, April 2004.
28. [XG03] "Guilty Plea in Kinko's Keystroke Caper," (stealing online banking passwords), Security Focus, July 18, 2003.
29. [XG04] "Gone Flushing: Web Scam Takes Dangerous Turn," (stealing online banking passwords), Wall Street Journal, May 27, 2004.
30. [XP03] Kevin Poulsen, "Windows Root Kits a Stealthy Threat," SecurityFocus, http://www.securityfocus.com/news/2879, Mar 5 2003.
31. [XP04] "Phishers tapping botnets to automate attacks", (phishing), The Register, http://www.theregister.co.uk/2004/11/26/anti- phishing_report/, Nov. 26, 2004.
32. [XS04] "Spreading Web Virus Aims to Steal Financial Data," Reuters, June 25, 2004.
33. [XW04] "White collar virus writers make cash from chaos," (dialers, spamming), The Register, http://www.theregister.co.uk/2004/12/07/ sophos_av_review_2004/, Dec. 2004.
34. [XZ04] "Zombie PCs: Silent, Growing Threat," PC World, http://www.pcworld.com/news/article/0,aid,116841,00.asp, July 2004.
35. [YA03] A. Chuvakin, "An Overview of Unix Rootkits," iALERT White Paper, iDefense Labs, http://www.megasecurity.org/papers/Rootkits.pdf, February 2003.
36. [YB] BIOS and Flash Utilities, http://h20000.www2.hp.com/bizsupport/ TechSupport/DriverDownload.jsp?pnameOID=100870&locale=en_US&taskId=135 &refresh=true&prodTypeld= 12454&prodSeriesId=96495&sw-EnvOID= 1093#2663.
37. [YB04] C. Boyd, "Xpire/Splitinfinity.info Server Hack and Malware injection using IFRAMES Vulnerability - Condensed Version," http://www.spywarewarrior.com/xpire-splitinfinitv-serverhack_malwareinstall- condensed.pdf.
38. [YC] The chkrootkit tool, http://www.chkrootkit.org/.
39. [YC04] "Nasty New Parasite," (stealth spyware), Spyware Weekly Newsletter, http://www.spywareinfo.com/newsletter/archives/0604/8.php, June 8, 2004.
40. [YC98] Silvio Cesare, "Runtime kernel kmem patching," http://vx.netlux.org/lib/vsc07.html, Nov. 1998.
41. [YH] Hidden Registry Keys, http//www.sysinternals.com/ntw2k/info/tips. shtml#registryhidden.
42. [YH03] "How to become unseen on Windows NT," http://rootkit.host.sk/knowhow/hidingen.txt, May 8, 2003.
43. [YI] Ivo Ivanov, "API hooking revealed", http://www. codeproject.com/system/hooksys.asp.
44. [YJ] A. R. Jones, "A Review of Loadable Kernel Modules," http://www.giac.org/practical/gsec/Andrew_Jones_GSEC.pdf.
45. [YK] Tan Chew Keong, "ApiHookCheck Version 1.01," http://www.security.org.sg/code/apihookcheck.html, April 15, 2004.
46. [YK04] Tan Chew Keong, "Win2K Kernel Hidden Process/Module Checker 0.1 (Proof-Of-Concept)," http://www.security.org.sg/code/kproccheck.html. May 23, 2004.
47. [YKS] KSTAT - Kernel Security Therapy Anti-Trolls, http://s0ftpj.org/en/ tools.html.
48. [YL01] "Linux on-the-fly kernel patching without LKM", http://www.phrack.org/phrack/58/p58-0x07, Phrack Magazine, Dec. 2001.
49. [YN04] "NTIllusion - A portable Win32 userland rootkit.txt," Phrack Magazine, July 13, 2004.
50. [YO03] OpioN, "Kernel Rootkits Explained", http://www.ebcvg. com/articles.php?id=124, March 2003.
51. [YT04] C. K. Tan, "Defeating Kernel Native API Hookers by Direct Service Dispatch Table Restoration," http://www.security.org.sg/code/ SIG2_DefeatingNativeAPIHookers.pdf, July 2004.
52. [YV04] VICE - Catch the hookers! http://www.blackhat.com/presentations/ bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf.
53. [YW98] "Weakening the Linux Kernel," Phrack Magazine, http://www.phrack.org/phrack/52/P52-18, Jan. 1998.
54. [ZA] API Hook SDK 2.12, http://www.devarchive.com/fl709.html.
55. [ZAF] Aphex - AFX Windows Rootkit 2003, http://www.iamaphex.cjb.net.
56. [ZAH] Advanced Hide Folders, http://www.hide-folders.biz/.
57. [ZB] Berbew, http://securityresponse.symantec.com/avcenter/venc/data/ backdoor.berbew.j.html.
58. [ZD] Darkside rootkit, http://www.antiserver.it/backdoor-rootkit/.
59. [ZF] File & Folder Protector, http://www.softheap.com/ffp.html.
60. [ZFU] The FU Rootkit, http://www.rootkit.com/vault/fuzen_op/FU_Rootkit. zip.
61. [ZH] Hacker Defender, http://rootkit.host.sk/.
62. [ZHF] Hide Files 3.3, http://www.tomdownload.com/new_add/new20031128/ hide_files_folders.htm.
63. [ZHO] Hide Folders XP, http://www.fspro.net/downloads.html.
64. [ZK] Knark LKM-rootkit, http://www.sans.org/resources/idfaq/knark.php.
65. [ZP] ProBot SE Monitoring Software, http://www.nethunter.cc/index.php?id= 14.
66. [ZR] RootKits, http://www.rootkit.com/.
67. [ZS] Superkit rootkit, http://www.remoteassessment.com/darchive/ 191006794.html.
68. [ZT] The T0rnkit rootkit, http://www.europe.f-secure.com/vdescs/tom. shtml.
69. [ZU] The Urbin Trojan, http://vil.nai.com/vil/content/v_125663.htm.
70. [ZV] Vanquish, https://www.rootkit.com/project.phD?id=9.
71. [ZVI] Vice, http://www.rootkjt.com/project.php?id=20.