Countering persistent kernel rootkits through systematic hook discovery

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 5230 LNCS, Issue , 2008, Pages 21-38

  Wang, Zhi ^a   Jiang, Xuxian ^a   Cui, Weidong ^b   Wang, Xinyuan ^c  

^a NORTH CAROLINA STATE UNIVERSITY   (United States)

^b MICROSOFT RESEARCH   (United States)

^c GEORGE MASON UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CONCEPT SYSTEMS; DETECTION SOFTWARES; EXECUTION PATHS; MALWARE; MANUAL ANALYSIS; NETWORK ACTIVITIES; ROOTKITS; SECURITY PROGRAMS; SYSTEMATIC APPROACHES;

COMPUTER CRIME; COMPUTER SOFTWARE; CONCURRENCY CONTROL; INTRUSION DETECTION;

HOOKS;

EID: 56549113546     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/978-3-540-87403-4_2     Document Type: Conference Paper

References (24)

1. The adore Rootkit, http: //lwn.net/Articles/75990/
2. The Hideme Rootkit, http://www.sophos.com/security/analyses/viruses-and- spyware/trojhidemea.html
3. The Strange Decline of Computer Worms, http://www.theregister.co.uk/2005/ 03/17/f-secure_websec/print.html
4. VMware, http://www.vmware.com/
5. Agrawal, H., Horgan, J.R.: Dynamic Program Slicing. In: Proceedings of ACM SIGPLAN 1990 Conference on Programming Language Design and Implementation (1990)
6. Bellard, K: QKMU, a Fast and Portable Dynamic Translator. In: Proc. of USHNIX Annual Technical Conference 2005 (FREENIX Track) (July 2005)
7. Butler, J.: R2̂: The Exponential Growth of Rootkit Techniques, http://www.blackhat.com/presentations/bh-usa-06/BH-US-0 6-Butler.pdf
8. Butler, J.: VICE2.0, http://www.infosecinstitute.com/blog/README_VICE.txt
9. Chen, S., Xu, J., Sezer, E.G., Gauriar, P., Iyer, R.: Non-Control-Data Attacks Are Realistic Threats. In: Proc. USENIX Security Symposium (August 2005)
10. Grizzard, J.B.: Towards Self-Healing Systems: Re-Establishing Trust in Compromised Systems. Ph.D. thesis, Georgia Institute of Technology (May 2006)
11. Jiang, X., Wang, X.: "Out-of-the-Box" Monitoring of VM-Based High-Interaction Honeypots. In: Krucgcl, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 198-218. Springer, Heidelberg (2007)
12. Jiang, X., Wang, X., Xu, D.: "Out-of-the-Box" Semantic View Reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security (CCS 2007) (October 2007)
13. Petroni, N., Fraser, T., Walters, A., Arbaugh, W.: An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data. In: Proc. of the 15th USENIX Security Symposium (August 2006)
14. Petroni, N., Hicks, M.: Automated Detection of Persistent Kernel Control-Flow Attacks. In: Proc. of ACM CCS 2007 (October 2007)
15. Petroni, N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor. In: Proc. of the 13th USENIX Security Symposium (August 2004)
16. PJF. IceSword, http://www.antirootkit.com/software/IceSword.htm, http://pjf.blogcn.com/
17. Rutkowska, J.: System Virginity Verifier, http://invisiblethings.org/ papers/hitb05_virginity_verifier.ppt
18. Rutkowska, J.: Rootkits vs. Stealth by Design Malware, http://invisiblethings.org/papers/rutkowska_bheurope2006.ppt
19. sd.: Linux on-the-fly kernel patching without LKM. Phrack 11(58), article 7 of 15 (2001)
20. Seshadri, A., Luk, M., Qu, N., Perrig, A.: Sec Visor: A Tiny Hypervisor to Guarantee Lifetime Kernel Code Integrity for Commodity OSes. In: Proc, of the ACM SOSP 2007 (October 2007)
21. Wang, Y., Beck, D., Vo, B., Roussev, R., Verbowski, C.: Detecting Stealth Software with Stridcr GhostBuster. In: Proc. of the 2005 International Conference on Dependable Systems and Networks (June 2005)
22. Wilhelm, J., Chiueh, T.-c.: A Forced Sampled Execution Approach to Kernel Rootldt Identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 219-235. Springer, Heidelberg (2007)
23. Yin, H., Liang, Z., Song, D.: HookFindcr: Identifying and Understanding Malware Hooking Behaviors. In: Proc. of ISOC NDSS 2008 (February 2008)
24. Zhang, X., Gupta, R., Zhang, Y.: Precise Dynamic Slicing Algorithms. In: Proc. of the IEEE/ACM International Conference on Software Engineering (May 2003)