Yu Zhu,Shengli Liu,Honghu Lu,Wenbin Tang

DOI: https://doi.org/10.1117/12.2012668

2013-01-01

Abstract:As the information security is concerned more and more, various defendable and detection tools appear abundantly which effectively protects system from malicious software. But some new malicious software which is more stealthy and devastating comes forth. Bootkit is a typical representation, famous for that it is underlying and injected into the bottom of system. There are few detection methods for Bootkit. New techniques are necessary and imperative to be researched to detect Bootkit. This paper analyzes the current situation of Bootkit and its detection technique, discusses probable location injected by Bootkit. A detection System for Bootkit Starting up before operating system is designed. Then its implement details are described and the effect of the detection system is validated.

金戈,薛质,齐开悦

DOI: https://doi.org/10.3969/j.issn.1000-3428.2015.06.021

2015-01-01

Abstract:Bootkit originates from Rootkit and can bypass most security software through loading the malicious code during windows booting period. This paper uses formal description to depict the procedure of malicious operation hiding and develops the cooperative concealment. Because most Bootkit hide malicious PE files in disks, a PE matching algorithm is designed and implemented. This algorithm will search some byte sequences with specific pattern to find potential hidden PE files and experiments show that this algorithm can gain a high detecting accuracy towards some Bootkit samples.

ZHU Yu,LIU Sheng-li,CHEN Jia-yong,GAO Hong-bo

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.07.014

2012-01-01

Abstract:Some current Bootkit samples are researched.Based on the understanding of their working principle,a common model of inserted attacking Bootkit is established.Furthermore,a Bootkit detection model is set up aimed at the model of inserted attacking Bootkit and a new detection algorithm is proposed.The new algorithm can not only detect existed samples,but also discover unknown Bootkit which is corresponding with the model of inserted attacking Bootkit.The experimental result indicates that the presented algorithm can effectively detect many kinds of Bootkit based on NT kernel which is running in Windows platform.

WANG Wen-bing,FAN Nai-mei,LIU Sheng-li

DOI: https://doi.org/10.3969/j.issn.2095-476X.2012.06.023

2012-01-01

Abstract:In order to quickly detect and accurately locate a new deeply concealed Trojan Horse Bootkit,the design of exclusive detecting system to BIOS Bootkit—IBBDS was put forward:IBBDS deposited in the bootable disk,to get the system implementation authority as soon as possible,the BIOS Bootkit capture was realized in the system start-up through the detection for IVT,ISA and HOOK INT 13H module.The validity of this detection method was verified with experiment.

Yilin Zhou,Guojun Peng,Zichuan Li,Side Liu

DOI: https://doi.org/10.23919/jcc.ja.2022-0409

2024-02-13

China Communications

Abstract:According to the boot process of modern computer systems, whoever boots first will gain control first. Taking advantage of this feature, a malicious code called bootkit can hijack the control before the OS bootloader and bypass security mechanisms in boot process. That makes bootkits difficult to detect or clean up thoroughly. With the improvement of security mechanisms and the emergence of UEFI, the attack and defense techniques for bootkits have constantly been evolving. We first introduce two boot modes of modern computer systems and present an attack model of bootkits by some sophistical samples. Then we discuss some classic attack techniques used by bootkits from their initial appearance to the present on two axes, including boot mode axis and attack phase axis. Next, we evaluate the race to the bottom of the system and the evolution process between bootkits and security mechanisms. At last, we present the possible future direction for bootkits in the context of continuous improvement of OS and firmware security mechanisms.

telecommunications

CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

Zhang Liyun,Xue Zhi,Li Jianhua

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.11.048

2006-01-01

Abstract:The kernel-level rootkit is an import technology for hackers to open backdoor after intruding systems successfully. The article analyzes the hiding and detection principle of kernel-level rootkit, and focuses on the module binary analysis method which based on symbolic execution to detect rootkit.

RUAN Wen-bo,ZHANG Chang-he,LIU Sheng-li

DOI: https://doi.org/10.3969/j.issn.1671-0673.2007.02.024

2007-01-01

Abstract:RootKit is a set of powerful tools used by hackers to gain the access to the computers and make itself undetectable.This paper introduces a technique named kernel object inline hooking,which extends existing technique of code redirection,hides tracks through inline hooking of kernel object's dispatch routines.Existing detecting methodology of rootkit is difficult to detect this kind of new rootkit.So this paper illustrates a branch instruction analysis based dynamic detecting methodology of rootkit.This methodology could find running rootkit programs dynamically in the system,and point out the loading images of these rootkits.

Xingjun Zhang,Endong Wang,Long Xin,Zhongyuan Wu,Weiqing Dong,Xiaoshe Dong

DOI: https://doi.org/10.1109/INCoS.2011.111

2011-01-01

Abstract:The kernel-level Root kit brings operating system mortal security risk. The existing detection methods, which are based on host environment, have limitations such as high Root kit privileges, weak isolation capacity. If the detected system, which may includes Root kit, and the detection system are resided on guest and host environment respectively, those limitations can be resolved. The paper proposed a method of Root kit detection based on KVM (Kernel-based Virtual Machine) by using virtualization technology. This method adopts guest memory protection mechanism, which is based on protection of host page tables and trusted code segments, for static kernel code and data. As for dynamically allocated code and data in heap space, this method introduces integrity checking mechanism, which is based on threshold triggering of calling sequences of monitored functions. The experimental results showed that this method can prevent static code or data from Root kit attacking effectively, and also detect attacks to dynamically allocated code or data quickly.

Ronny Chevalier,Stefano Cristalli,Christophe Hauser,Yan Shoshitaishvili,Ruoyu Wang,Christopher Kruegel,Giovanni Vigna,Danilo Bruschi,Andrea Lanzi

DOI: https://doi.org/10.1145/3292006.3300026

2019-03-29

Abstract:Boot firmware, like UEFI-compliant firmware, has been the target of numerous attacks, giving the attacker control over the entire system while being undetected. The measured boot mechanism of a computer platform ensures its integrity by using cryptographic measurements to detect such attacks. This is typically performed by relying on a Trusted Platform Module (TPM). Recent work, however, shows that vendors do not respect the specifications that have been devised to ensure the integrity of the firmware's loading process. As a result, attackers may bypass such measurement mechanisms and successfully load a modified firmware image while remaining unnoticed. In this paper we introduce BootKeeper, a static analysis approach verifying a set of key security properties on boot firmware images before deployment, to ensure the integrity of the measured boot process. We evaluate BootKeeper against several attacks on common boot firmware implementations and demonstrate its applicability.

Cryptography and Security

Chien-Ming Chen,Mu-En Wu,Bing-Zhe He,Xinying Zheng,Chieh Hsing,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-319-06320-1_10

2014-01-01

Abstract:It is easy to discover if there are hooks in the System Service Dispatch Table (SSDT). However, it is difficult to tell whether theses hooks are malicious or not after finding out the hooks in the SSDT. In this paper, we propose a scheme that evaluates the hooks by comparing the returned results before hooking and after hooking. If a malicious hook which hides itself by the way of modifying the parameters passed to the Native API, we can easily detect the difference. Furthermore, we use a runtime detour patching technique so that it will not perturb the normal operation of user-mode programs. Finally, we focus on the existing approaches of rootkits detection in both user-mode and kernel-mode. Our method effectively monitors the behavior of hooks and brings an accurate view point for users to examine their computers.

JIANG Hui,YANG Feng,DUAN Hai-xin

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.05.016

2012-01-01

Abstract:In recent years,the purpose of malicious code is changing to economic benefit instead of making damage and gain fame and glory.The malicious authors put more efforts to hide their malware.Rootkit has the characteristics of strong hidden ability and high privilege.So it is a serious threat of host security.As Hardware Virtualization Technology comes out,Rootkit extends to the outside of operating system and presents new challenges to detection technology.This paper,makes a summary of Rootkit hiding and detection technology these years,analysis the problem them facing and discusses the trends of Rootkit detection technology.

LIU Heng,WEN Wei-ping,WAN Zheng-su

DOI: https://doi.org/10.3969/j.issn.1671-1122.2011.07.005

2011-01-01

Abstract:Static analysis and dynamic analysis are the two common analysis methods in malware analysis. With the anti-debugging, program packers, code obfuscation, polymorphism and variants such technologies coming out, the limitations of static analysis methods become more and more. Here is a tool to dynamic analysis Malware Code based on kernel callback and Regular Expressions, demonstrate it’s capabilities by analyzing the Fujacks .As a result ,improved the efficiency of the tool in the automating analysis.

ZHANG Li

DOI: https://doi.org/10.3969/j.issn.1674-7720.2009.12.004

2009-01-01

Abstract:This paper analyses the methods of Rootkits detections of nowdays,brings a method of kernel modules compared,checks memory sections integration and hidden driver detection.This method can detect most application layer Rootkits and kernel Rootkits.

Sun Haoliang,Wang Dawei,Zhang Ying

DOI: https://doi.org/10.1109/iccsn.2019.8905286

2019-01-01

Abstract:Nowadays, a major challenge to network security is malicious codes. However, manual extraction of features is one of the characteristics of traditional detection techniques, which is inefficient. On the other hand, the features of the content and behavior of the malicious codes are easy to change, resulting in more inefficiency of the traditional techniques. In this paper, a K-Means Clustering Analysis is proposed based on Adaptive Weights (AW-MMKM). Identifying malicious codes in the proposed method is based on four types of network behavior that can be extracted from network traffic, including active, fault, network scanning, and page behaviors. The experimental results indicate that the AW-MMKM can detect malicious codes efficiently with higher accuracy.

FU Si-yuan,LIU Gong-shen,LI Jian-hua

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.09.035

2012-01-01

Abstract:Unified Extensible Firmware Interface(UEFI) faces a grim challenges of malicious code attack.The traditional computer security software can not provide security for the firmware and operating system boot process.In order to solve the problem,this paper designs a malicious code defense system based on UEFI firmware.By using the multi-pattern matching algorithm,a signature detecting engine under UEFI environment is implemented,which provides functionally of malicious code detect,boot option analysis and firmware and operating system kernel backup.Experimental results prove that the system can effectively resist malicious code with small code size and low costs to meet the firmware's need of flash size and fast boot.

Farrukh Shahzad,M. Shahzad,Muddassar Farooq

DOI: https://doi.org/10.1016/j.ins.2011.09.016

IF: 8.1

2013-05-01

Information Sciences

Abstract:Run-time behavior of processes – running on an end-host – is being actively used to dynamically detect malware. Most of these detection schemes build model of run-time behavior of a process on the basis of its data flow and/or sequence of system calls. These novel techniques have shown promising results but an efficient and effective technique must meet the following performance metrics: (1) high detection accuracy, (2) low false alarm rate, (3) small detection time, and (4) the technique should be resilient to run-time evasion attempts.To meet these challenges, a novel concept of genetic footprint is proposed, by mining the information in the kernel process control blocks (PCB) of a process, that can be used to detect malicious processes at run time. The genetic footprint consists of selected parameters – maintained inside the PCB of a kernel for each running process – that define the semantics and behavior of an executing process. A systematic forensic study of the execution traces of benign and malware processes is performed to identify discriminatory parameters of a PCB (task_struct is PCB in case of Linux OS). As a result, 16 out of 118 task structure parameters are short listed using the time series analysis. A statistical analysis is done to corroborate the features of the genetic footprint and to select suitable machine learning classifiers to detect malware.The scheme has been evaluated on a dataset that consists of 105 benign processes and 114 recently collected malware processes for Linux. The results of experiments show that the presented scheme achieves a detection accuracy of 96% with 0% false alarm rate in less than 100ms of the start of a malicious activity. Last but not least, the presented technique utilizes partial knowledge that is available at a given time while the process is still executing; as a result, the kernel of OS can devise mitigation strategies. It is also shown that the presented technique is robust to well known run-time evasion attempts.

computer science, information systems

ZHAO Shuai,DING Bao-zhen,SHEN Bei-jun,LIN Jiu-chuan

DOI: https://doi.org/10.3969/j.issn.1002-137x.2011.12.028

2011-01-01

Computer Science

Abstract:Buffer overflow attack has been a major security problem in recent years,where attackers utilize buffer overflow vulnerabilities to control other computers.As the vehicle of attack,Shellcode is the main target of buffer overflow attack detections.Now attackers tend to employ polymorphic techniques to encode Shellcode,which makes it harder for signature-based NIDS to detect it.This paper proposed a new method to detect the Shellcode executed under MS Windows,which integrates static analysis and dynamic execution techniques.It made some new principles of Shellcode detection,which enhance both the accuracy and performance of polymorphic Shellcode detection.Then a prototype system was implemented and tested.The test results on both the accuracy and performance are quite encouraging.

Liu Gongshen,Meng Kui,Fu Siyuan

DOI: https://doi.org/10.1109/icecc.2012.196

2012-01-01

Abstract:UEFI is an international standard which describes an interface between the OS and the platform firmware. To solve the low-level attack threats to computer system, a malicious software prevention system based on UEFI firmware is proposed in this paper. By using binary signature scanning technology, a malware detecting engine under UEFI environment is implemented, whose functions include malicious code detect, boot option analysis and firmware & OS Kernel backup. It is proved that this system can prevent malicious code attacks before the platform booting into the operating system with small storage size and low performance cost.

GUAN Yun-tao,DUAN Hai-xin

2009-01-01

Abstract:With the application of polymorphism,metamorphism and packing techniques,the analysis and detection of modern malware becomes more difficult.Manual malware analysis fails to handle this situation due to its unacceptable cost and human force involvement.The author design and implement an automated malware dynamic analysis system named MwDAS using kernel hooking and filter driver technologies,which can automatically analyze malware sample,extract and detail malware's behaviors into a well-organized report.The experiment shows that MwDAS can dramatically improve the analysis efficiency.