Yu Zhu,Shengli Liu,Honghu Lu,Wenbin Tang

DOI: https://doi.org/10.1117/12.2012668

2013-01-01

Abstract:As the information security is concerned more and more, various defendable and detection tools appear abundantly which effectively protects system from malicious software. But some new malicious software which is more stealthy and devastating comes forth. Bootkit is a typical representation, famous for that it is underlying and injected into the bottom of system. There are few detection methods for Bootkit. New techniques are necessary and imperative to be researched to detect Bootkit. This paper analyzes the current situation of Bootkit and its detection technique, discusses probable location injected by Bootkit. A detection System for Bootkit Starting up before operating system is designed. Then its implement details are described and the effect of the detection system is validated.

Ge Jin,Zhi Xue,Yijun Wang

DOI: https://doi.org/10.3969/j.issn.1000-386x.2015.06.013

2015-01-01

Abstract:Bootkit,a novel malicious code,grabs the right of execution by infecting MBR or VBR so that greatly advances the loading time thus disables the effective detection on it by the conventional security software based on dynamic behaviour analysis[1].We propose a novel static detection method in this paper aiming at such a difficulty of Bootkit detection,design and implement correlated MBR matching algo-rithm.Moreover,the experiment is carried out against the Bootkit malicious code sample well-known at home and abroad.Experimental re-sults show that this method can effectively detect today’s mainstream Bootkit malicious codes,and further proves the feasibility of static detec-tion idea.

金戈,薛质,齐开悦

DOI: https://doi.org/10.3969/j.issn.1000-3428.2015.06.021

2015-01-01

Abstract:Bootkit originates from Rootkit and can bypass most security software through loading the malicious code during windows booting period. This paper uses formal description to depict the procedure of malicious operation hiding and develops the cooperative concealment. Because most Bootkit hide malicious PE files in disks, a PE matching algorithm is designed and implemented. This algorithm will search some byte sequences with specific pattern to find potential hidden PE files and experiments show that this algorithm can gain a high detecting accuracy towards some Bootkit samples.

CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

WANG Wen-bing,FAN Nai-mei,LIU Sheng-li

DOI: https://doi.org/10.3969/j.issn.2095-476X.2012.06.023

2012-01-01

Abstract:In order to quickly detect and accurately locate a new deeply concealed Trojan Horse Bootkit,the design of exclusive detecting system to BIOS Bootkit—IBBDS was put forward:IBBDS deposited in the bootable disk,to get the system implementation authority as soon as possible,the BIOS Bootkit capture was realized in the system start-up through the detection for IVT,ISA and HOOK INT 13H module.The validity of this detection method was verified with experiment.

Yilin Zhou,Guojun Peng,Zichuan Li,Side Liu

DOI: https://doi.org/10.23919/jcc.ja.2022-0409

2024-02-13

China Communications

Abstract:According to the boot process of modern computer systems, whoever boots first will gain control first. Taking advantage of this feature, a malicious code called bootkit can hijack the control before the OS bootloader and bypass security mechanisms in boot process. That makes bootkits difficult to detect or clean up thoroughly. With the improvement of security mechanisms and the emergence of UEFI, the attack and defense techniques for bootkits have constantly been evolving. We first introduce two boot modes of modern computer systems and present an attack model of bootkits by some sophistical samples. Then we discuss some classic attack techniques used by bootkits from their initial appearance to the present on two axes, including boot mode axis and attack phase axis. Next, we evaluate the race to the bottom of the system and the evolution process between bootkits and security mechanisms. At last, we present the possible future direction for bootkits in the context of continuous improvement of OS and firmware security mechanisms.

telecommunications

Xueluan Gong,Yanjiao Chen,Huayang Huang,Weihan Kong,Ziyao Wang,Chao Shen,Qian Wang

DOI: https://doi.org/10.1109/tdsc.2023.3286842

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Deep neural networks are vulnerable to backdoor attacks, where a specially-designed trigger will lead to misclassification of any benign samples. However, existing backdoor attacks usually impose conspicuous patch triggers on images, which are easily detected by humans and defense algorithms. Existing works on invisible triggers, however, either have reduced attack success rate or yield detectable patterns to visual inspections. In this article, we propose KerbNet, a kernel-based backdoor attack framework, which applies kernel operations to clean samples as the trigger to incur misclassification. The kernel-processed samples achieve a high attack success rate while appearing natural with high Quality-of-Experience (QoE). We carefully design the kernel trigger generation algorithm by exploiting the neural network structure to propagate the influence of the trigger to the target misclassification label under the QoE constraint. We conduct extensive experiments on five datasets, i.e., MNIST, GTSRB, CIFAR-10, CelebA, and ImageNette to evaluate the effectiveness and practicality of KerbNet under the impact of various factors, including neuron-residing layer, kernel size, base image, loss function, model structure, and so on. We also show that our proposed attacks can evade state-of-the-art defense strategies and visual inspections. Code will be available after publication.

ZHANG Li

DOI: https://doi.org/10.3969/j.issn.1674-7720.2009.12.004

2009-01-01

Abstract:This paper analyses the methods of Rootkits detections of nowdays,brings a method of kernel modules compared,checks memory sections integration and hidden driver detection.This method can detect most application layer Rootkits and kernel Rootkits.

Zhang Liyun,Xue Zhi,Li Jianhua

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.11.048

2006-01-01

Abstract:The kernel-level rootkit is an import technology for hackers to open backdoor after intruding systems successfully. The article analyzes the hiding and detection principle of kernel-level rootkit, and focuses on the module binary analysis method which based on symbolic execution to detect rootkit.

Chien-Ming Chen,Mu-En Wu,Bing-Zhe He,Xinying Zheng,Chieh Hsing,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-319-06320-1_10

2014-01-01

Abstract:It is easy to discover if there are hooks in the System Service Dispatch Table (SSDT). However, it is difficult to tell whether theses hooks are malicious or not after finding out the hooks in the SSDT. In this paper, we propose a scheme that evaluates the hooks by comparing the returned results before hooking and after hooking. If a malicious hook which hides itself by the way of modifying the parameters passed to the Native API, we can easily detect the difference. Furthermore, we use a runtime detour patching technique so that it will not perturb the normal operation of user-mode programs. Finally, we focus on the existing approaches of rootkits detection in both user-mode and kernel-mode. Our method effectively monitors the behavior of hooks and brings an accurate view point for users to examine their computers.

RUAN Wen-bo,ZHANG Chang-he,LIU Sheng-li

DOI: https://doi.org/10.3969/j.issn.1671-0673.2007.02.024

2007-01-01

Abstract:RootKit is a set of powerful tools used by hackers to gain the access to the computers and make itself undetectable.This paper introduces a technique named kernel object inline hooking,which extends existing technique of code redirection,hides tracks through inline hooking of kernel object's dispatch routines.Existing detecting methodology of rootkit is difficult to detect this kind of new rootkit.So this paper illustrates a branch instruction analysis based dynamic detecting methodology of rootkit.This methodology could find running rootkit programs dynamically in the system,and point out the loading images of these rootkits.

Zhangxiang YANG,Zuhua DAI,Bo WANG

DOI: https://doi.org/10.3778/j.issn.1002-8331.1509-0167

2016-01-01

Abstract:This paper analyzes the principles of the existing Rootkit detection technology on Linux system, and further proposes a detection technology using Kprobe. The detection method collects the information of objects hidden by Rootkit by inserting probe points into the critical path in low-level kernel, and then compares the underlying information and the results from audit tools with cross-view validation principle to get the hided objects. The experiments are conducted to verify this detection method on several popular Rootkits. The results show that this technique has a good reliability.

JIANG Hui,YANG Feng,DUAN Hai-xin

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.05.016

2012-01-01

Abstract:In recent years,the purpose of malicious code is changing to economic benefit instead of making damage and gain fame and glory.The malicious authors put more efforts to hide their malware.Rootkit has the characteristics of strong hidden ability and high privilege.So it is a serious threat of host security.As Hardware Virtualization Technology comes out,Rootkit extends to the outside of operating system and presents new challenges to detection technology.This paper,makes a summary of Rootkit hiding and detection technology these years,analysis the problem them facing and discusses the trends of Rootkit detection technology.

Hu Qiuwei,Xue Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.01.075

2007-01-01

Abstract:There is no standardized methodology now to detect rootkits. And in most cases these capabilities only indicate that a system is infected without identifying the specific rootkit. In this paper, we introduce the basic concept of rootkit, analyze the limitation of other methods of detecting the rootkits, and at last propose a new method. This method not only indicates the existence of the rootkits, but also classifies rootkit as existing, modifications to existing, or entirely new. We also take a rootkit for example to identify the effect of this method.

Yong Wang,Dawu Gu,Wei Li,Jing Li,Mi Wen

DOI: https://doi.org/10.1109/ieec.2009.52

2009-01-01

Abstract:Rootkits Trojan virus, which can control attacked computers, delete import files and even steal password, are much popular now. Interrupt Descriptor Table (IDT) hook is rootkit technology in kernel level of Trojan. The paper makes deeply analysis on the IDT hooks handle procedure of rootkit Trojan according to previous other researchers methods. We compare its IDT structure and programs to find how Trojan interrupt handler code can respond the interrupt vector request in both real address mode and protected address mode. Finally, we analyze the IDT hook detection methods of rootkits Trojan by Windbg or other professional tools.

Xingjun Zhang,Endong Wang,Long Xin,Zhongyuan Wu,Weiqing Dong,Xiaoshe Dong

DOI: https://doi.org/10.1109/INCoS.2011.111

2011-01-01

Abstract:The kernel-level Root kit brings operating system mortal security risk. The existing detection methods, which are based on host environment, have limitations such as high Root kit privileges, weak isolation capacity. If the detected system, which may includes Root kit, and the detection system are resided on guest and host environment respectively, those limitations can be resolved. The paper proposed a method of Root kit detection based on KVM (Kernel-based Virtual Machine) by using virtualization technology. This method adopts guest memory protection mechanism, which is based on protection of host page tables and trusted code segments, for static kernel code and data. As for dynamically allocated code and data in heap space, this method introduces integrity checking mechanism, which is based on threshold triggering of calling sequences of monitored functions. The experimental results showed that this method can prevent static code or data from Root kit attacking effectively, and also detect attacks to dynamically allocated code or data quickly.

Yongqiang Zhang,Hai Bi

DOI: https://doi.org/10.1109/ncis.2011.62

2011-01-01

Abstract:Aiming at the principles how root kit malicious action by hooking System Service Dispatch Table and utilizing inline function patching, this paper presents a method of integrity detection and restoration based on kernel file, which is proved to ensure correct implementation of the kernel function.

杨彦,黄皓

DOI: https://doi.org/10.3969/j.issn.1000-3428.2008.12.053

2008-01-01

Abstract:Rootkit is a program set which malicious software uses to conceal itself and other specific resources and actions.This paper analyzes and researches on the concealment technologies which representative rootkits on Windows platform commonly use,and classifies them into two categories: modifying kernel object data structures and changing execution paths.The technical principles are described and compared in detail.The future development directions are discussed.

ZHU Wei,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2013.01.030

2013-01-01

Abstract:As an efficient means of attack,Rootkit is widely used in Windows and Linux platforms. The Android system based on Linux 2.6 kernel faces risks various of this attack. Based on analysis of the Android telephone system architecture,a Rootkit attack working on Android OS is proposed,which is based on LKM(loadable kernel module) and replacement of the system call in VFS(virtual file system).

Tao ZHANG,Ying-nan JIAO,Li-jie LU,Wei-ping WEN

DOI: https://doi.org/10.3969/j.issn.1671-1122.2014.02.008

2014-01-01

Abstract:The study of suspicious sample collection system with the rule-based scanning and procedures behavior analysis based on Windows kernel driver will greatly enhance the comprehensiveness and accuracy of sample collection, and it has important signiifcance to accelerate the discovery of the virus and the virus database updates. Firstly, this paper analyzes the architecture of Windows operating system and then gives the overall system architecture of the suspicious sample collection system based on Windows kernel drivers. Finally, according to the system architecture, the paper detailed designs and implements of each module, and gives examples and the results of a test. The experiment shows that the system is capable of accurately and efifciently collect samples of suspicious information.