A forced sampled execution approach to kernel rootkit identification

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 4637 LNCS, Issue , 2007, Pages 219-235

  Wilhelm, Jeffrey ^a   Chiueh, Tzi Cker ^a  

^a SYMANTEC RESEARCH LABS   (United States)

Author keywords

Bayes classifier; Dynamic malware analysis; Intrusion prevention; Rootkit detection; X86 ISA emulation

Indexed keywords

CLASSIFICATION (OF INFORMATION); COMPUTER CRIME; COMPUTER OPERATING SYSTEMS; GRAPH THEORY;

BAYES CLASSIFIERS; DYNAMIC MALWARE ANALYSIS; INTRUSION PREVENTION; ROOTKIT DETECTION;

INTRUSION DETECTION;

EID: 38149096122     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-540-74320-0_12     Document Type: Conference Paper

References (32)

1. Altholz, N., Stevenson, L.: Rootkits for Dummies. John Wiley and Sons Ltd., Chichester (2006)
2. Avira: Avira rootkit detection, http://www.antirootkit.com/software/ Avira-Rootkit-Detection.htm
3. Butler, J.: Vice - catch the hookers! In: Conference Proceedings of Black Hat 2004 (July 2004)
4. Butler, J., Sparks, S.: Raising the bar for windows rootkit detection. Phrack 63 (July 2005)
5. Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-Aware Malware Detection. In: Proceedings of IEEE Symposium on Security and Privacy (Oakland), IEEE Computer Society Press, Los Alamitos (2005)
6. Cogswell, B., Russinovich, M.: Rootkitrevealer vl.71 (November 2006), http:// www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
7. Corporation, F.-S.: F-secure blacklight rootkit elimination technology, http://securityticker.blogspot.com/2006/05/f-secure-backlight.html
8. Corporation, S.: Norton antivirus, http://www.symantec.com/home. homeoffice/ products/overview.jsp?pcid-isftp vid-nav2006
9. Corporation, S.: Internet security threat report (September 2006), http://www.Symantec.com/enterprise/threatreport/index.jsp
10. Flake, H.: Automated reverse engineering. In: Proceedings of Black Hat 2004 (July 2004)
11. Fuzen: Fu rootkit, http://www.rootkit.com/project.php7id-12
12. Hoglund, G., Butler, J.: The companion website of the rootkit book, http ://www.rootkit.com
13. Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2005)
14. Karim, M., Walenstein, A., Lakhotia, A., Parida, L.: Malware phylogeny generation using permutations of code. European Research Journal of Computer Virology (2005)
15. Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based spyware detectionl. In: Proceedings of Usenix Security Symposium (2006)
16. Kruegel, C., Robertson, W., Vigna, G.: Detecting kernel-level rootkits through binary analysis. In: Yew, P.-C., Xue, J. (eds.) ACSAC 2004. LNCS, vol. 3189, Springer, Heidelberg (2004)
17. Labs, M.A.: Rootkit detective, http://vil.nai.com/vil/stinger/
18. Livingston, B.: Icesword author speaks out on rootkits, http://itmanagement. earthweb.com/columns/executive.tech/article.php/351262i
19. Micro, T.: Rootkitbuster, http://www.trendmicro.com/download/rbuster.asp
20. Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware Analysis. In: Proceedings of 2007 IEEE Symposium on Security and Privacy, IEEE Computer Society Press, Los Alamitos (2007)
21. Petroni, N., Fraser, T., Molina, J., Arbaugh, W.: Copilot - a coprocessor-based kernel runtime integrity monitor. In: Proceedings of Usenix Security Symposium (August 2004)
22. Research, P.: Rootkit cleaner, http://research.pandasoftware.com/blogs/ research/archive/2006/12/14/Rootkit-cleaner.aspx
23. Rutkowska, J.: Red pill... or how to detect vmm using (almost) one cpu instruction, http://www.invisiblethings.org/papers/redpill.html
24. Rutkowska, J.: Thoughts about cross-view based rootkit detection (June 2005), http://www.invisiblethings.org/papers/crossview_detection_thoughts.pdf
25. Rutkowska, J.: Rootkits detection on windows systems. In: Proceedings of ITUnderground Conference 2004 (October 2004)
26. Rutkowska, J.: System virginity verifier: Defining the roadmap for malware detection on windows systems (September 2005),http://www. invisiblethings. org/papers/hitb05-virginity.verifier.ppt
27. Sabin, T.: Comparing binaries with graph isomorphisms, http://www.bindview.com/Services/Razor/Papers/2004/comparing.binaries.cfm
28. Sophos: Sophos anti-rootkit, http://www.sophos.com/products/free-tools/ 8ophos-anti-rootkit.html
29. Stamp, M., Wong, W.: Hunting for metamorphic engines. Journal in Computer Virology 2(3) (December 2006)
30. Wang, Y., Beck, D., Roussev, R., Verbowski, C.: Detecting stealth software with strider ghostbuster. In: Proc. Int. Conf. on Dependable Systems and Networks (DSN-DCCS) (June 2005)
31. Wang, Y., Roussev, R., Verbowski, C., Johnson, A., Wu, M., Huang, Y., Kuo, S.: Gatekeeper: Monitoring auto-start extensibility points (aseps) for spyware management. In: Proceedings of Usenix Large Installation System Administration Conference (LISA) (2004)
32. Wikipedia: Naive bayes classifier, http://en.wikipedia.org/wiki/Naive. Bayes.classifier