CHEN Liyue,SUN Xin,CHENG Tiansheng,WU Chunming,CHEN Shuangxi

DOI: https://doi.org/10.11959/j.issn.1000-0801.2020142

2020-01-01

Abstract:Rootkit is a set of persistent and undetectable attack technologies,which can hide their attack behavior and backdoor trace by modifying software or kernel in operating system and changing execution path of instruction.Firstly,the basic definition and evolution of Rootkit were introduced,then the operating principle,current mainstream technology and detection methods of Rootkit were discussed.Then,through comparative experiments on performance and security,the application of mimic defense system was described for Web based on dynamic,heterogeneous,redundant structure under Trojan Horse attack.Experiments show that mimic defense system can effectively defend against Trojan Horse in tests in the premise of low overhead.At last,the opportunities and challenges of the DHR system were summarized.

JIANG Hui,YANG Feng,DUAN Hai-xin

DOI: https://doi.org/10.3969/j.issn.1000-1220.2012.05.016

2012-01-01

Abstract:In recent years,the purpose of malicious code is changing to economic benefit instead of making damage and gain fame and glory.The malicious authors put more efforts to hide their malware.Rootkit has the characteristics of strong hidden ability and high privilege.So it is a serious threat of host security.As Hardware Virtualization Technology comes out,Rootkit extends to the outside of operating system and presents new challenges to detection technology.This paper,makes a summary of Rootkit hiding and detection technology these years,analysis the problem them facing and discusses the trends of Rootkit detection technology.

林卫亮,王轶骏,薛质

DOI: https://doi.org/10.3969/j.issn.1009-8054.2009.03.025

2009-01-01

Abstract:Rootkit is a system layer hidden mechanism and implementation program and is becoming more and more popular.It is designed to take fundamental control of a computer system,without authorization by the system owners and legitimate managers.Concealing running processes is one of the Win32 Rootkit's standard functions.In this paper,the techniques for detecting this kind of Win32 Rootkit,are studiues and implemented their advantages and disadvantages analyzed and compaired,Finally,some prospects for this technique are proposed.

LEI Xiao-yong,HUANG Xiao-ping

DOI: https://doi.org/10.3969/j.issn.1007-757x.2006.07.002

2006-01-01

Abstract:RootKits are Trojan horse backdoor tools that modify operating system software so that an attacker can keep access to and hide on a machine.This article will discuss the principle of Windows RootKit technology and Anti—RootKit technology.To protect the security of system and network,it will presents the protection policy against RootKit.

ZHANG Li

DOI: https://doi.org/10.3969/j.issn.1674-7720.2009.12.004

2009-01-01

Abstract:This paper analyses the methods of Rootkits detections of nowdays,brings a method of kernel modules compared,checks memory sections integration and hidden driver detection.This method can detect most application layer Rootkits and kernel Rootkits.

Zhang Liyun,Xue Zhi,Li Jianhua

DOI: https://doi.org/10.3969/j.issn.1009-8054.2006.11.048

2006-01-01

Abstract:The kernel-level rootkit is an import technology for hackers to open backdoor after intruding systems successfully. The article analyzes the hiding and detection principle of kernel-level rootkit, and focuses on the module binary analysis method which based on symbolic execution to detect rootkit.

RUAN Wen-bo,ZHANG Chang-he,LIU Sheng-li

DOI: https://doi.org/10.3969/j.issn.1671-0673.2007.02.024

2007-01-01

Abstract:RootKit is a set of powerful tools used by hackers to gain the access to the computers and make itself undetectable.This paper introduces a technique named kernel object inline hooking,which extends existing technique of code redirection,hides tracks through inline hooking of kernel object's dispatch routines.Existing detecting methodology of rootkit is difficult to detect this kind of new rootkit.So this paper illustrates a branch instruction analysis based dynamic detecting methodology of rootkit.This methodology could find running rootkit programs dynamically in the system,and point out the loading images of these rootkits.

Zhangxiang YANG,Zuhua DAI,Bo WANG

DOI: https://doi.org/10.3778/j.issn.1002-8331.1509-0167

2016-01-01

Abstract:This paper analyzes the principles of the existing Rootkit detection technology on Linux system, and further proposes a detection technology using Kprobe. The detection method collects the information of objects hidden by Rootkit by inserting probe points into the critical path in low-level kernel, and then compares the underlying information and the results from audit tools with cross-view validation principle to get the hided objects. The experiments are conducted to verify this detection method on several popular Rootkits. The results show that this technique has a good reliability.

Hu Qiuwei,Xue Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2007.01.075

2007-01-01

Abstract:There is no standardized methodology now to detect rootkits. And in most cases these capabilities only indicate that a system is infected without identifying the specific rootkit. In this paper, we introduce the basic concept of rootkit, analyze the limitation of other methods of detecting the rootkits, and at last propose a new method. This method not only indicates the existence of the rootkits, but also classifies rootkit as existing, modifications to existing, or entirely new. We also take a rootkit for example to identify the effect of this method.

Yu Zhu,Shengli Liu,Honghu Lu,Wenbin Tang

DOI: https://doi.org/10.1117/12.2012668

2013-01-01

Abstract:As the information security is concerned more and more, various defendable and detection tools appear abundantly which effectively protects system from malicious software. But some new malicious software which is more stealthy and devastating comes forth. Bootkit is a typical representation, famous for that it is underlying and injected into the bottom of system. There are few detection methods for Bootkit. New techniques are necessary and imperative to be researched to detect Bootkit. This paper analyzes the current situation of Bootkit and its detection technique, discusses probable location injected by Bootkit. A detection System for Bootkit Starting up before operating system is designed. Then its implement details are described and the effect of the detection system is validated.

Fang Wangsheng,Shao Liping,Zhang Kejun

DOI: https://doi.org/10.3969/j.issn.1008-0570.2006.33.028

2006-01-01

Abstract:According to the structure characters of portable executable file format, the methods taking advantages of redundant spaces, redundant structures and static spaces allocated to strings to embed information into PE file are introduced in this paper. To prevent the embedded data from being understood and modified, a method is provided there, which make use of translating data in other forms to disguise information. To recover the original information, a method being availed of secret sharing schemas is also given. When some embedded informations are damaged, others can be used to recover the original embedded information to keep the em- bedded data completely.

Yongqiang Zhang,Hai Bi

DOI: https://doi.org/10.1109/ncis.2011.62

2011-01-01

Abstract:Aiming at the principles how root kit malicious action by hooking System Service Dispatch Table and utilizing inline function patching, this paper presents a method of integrity detection and restoration based on kernel file, which is proved to ensure correct implementation of the kernel function.

Chien-Ming Chen,Mu-En Wu,Bing-Zhe He,Xinying Zheng,Chieh Hsing,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-319-06320-1_10

2014-01-01

Abstract:It is easy to discover if there are hooks in the System Service Dispatch Table (SSDT). However, it is difficult to tell whether theses hooks are malicious or not after finding out the hooks in the SSDT. In this paper, we propose a scheme that evaluates the hooks by comparing the returned results before hooking and after hooking. If a malicious hook which hides itself by the way of modifying the parameters passed to the Native API, we can easily detect the difference. Furthermore, we use a runtime detour patching technique so that it will not perturb the normal operation of user-mode programs. Finally, we focus on the existing approaches of rootkits detection in both user-mode and kernel-mode. Our method effectively monitors the behavior of hooks and brings an accurate view point for users to examine their computers.

ZHU Wei,WANG Yi-jun,XUE Zhi

DOI: https://doi.org/10.3969/j.issn.1009-8054.2013.01.030

2013-01-01

Abstract:As an efficient means of attack,Rootkit is widely used in Windows and Linux platforms. The Android system based on Linux 2.6 kernel faces risks various of this attack. Based on analysis of the Android telephone system architecture,a Rootkit attack working on Android OS is proposed,which is based on LKM(loadable kernel module) and replacement of the system call in VFS(virtual file system).

Mohammad Nadim,Wonjun Lee,David Akopian

2023-04-02

Abstract:One of the most elusive types of malware in recent times that pose significant challenges in the computer security system is the kernel-level rootkits. The kernel-level rootkits can hide its presence and malicious activities by modifying the kernel control flow, by hooking in the kernel space, or by manipulating the kernel objects. As kernel-level rootkits change the kernel, it is difficult for user-level security tools to detect the kernel-level rootkits. In the past few years, many approaches have been proposed to detect kernel-level rootkits. It is not much difficult for an attacker to evade the signature-based kernel-level rootkit detection system by slightly modifying the existing signature. To detect the evolving kernel-level rootkits, researchers have proposed and experimented with many detection systems. In this paper, we survey traditional kernel-level rootkit detection mechanisms in literature and propose a structured kernel-level rootkit detection taxonomy. We have discussed the strength and weaknesses or challenges of each detection approach. The prevention techniques and profiling kernel-level rootkit behavior affiliated literature are also included in this survey. The paper ends with future research directions for kernel-level rootkit detection.

Cryptography and Security

金戈,薛质,齐开悦

DOI: https://doi.org/10.3969/j.issn.1000-3428.2015.06.021

2015-01-01

Abstract:Bootkit originates from Rootkit and can bypass most security software through loading the malicious code during windows booting period. This paper uses formal description to depict the procedure of malicious operation hiding and develops the cooperative concealment. Because most Bootkit hide malicious PE files in disks, a PE matching algorithm is designed and implemented. This algorithm will search some byte sequences with specific pattern to find potential hidden PE files and experiments show that this algorithm can gain a high detecting accuracy towards some Bootkit samples.

mingwei zhao,rongan jiang

DOI: https://doi.org/10.1007/978-3-642-28798-5_18

2012-01-01

Abstract:As a new kind of Trojan horse which combines with the kernel Rootkit technologies, kernel Trojan horse has received a great mount of people's attention and been used a lot. However, the sensitive property of kernel Trojan which follows traditional architecture model is fully exposed to the security software, and needs kernel concealment module to complete all the hidden works, thus the concealment module is too large, easily detected by security software. Based on the analysis of Trojan collaborative concealment model, this paper improves the traditional architecture model and introduces a lightweight concealment module of pure kernel Trojan horse architecture model. Furthermore, an example which adopts the improved model is present in this paper. The experimental results verify the feasibility and efficient of the improved model. © 2012 Springer-Verlag.

Xingjun Zhang,Endong Wang,Long Xin,Zhongyuan Wu,Weiqing Dong,Xiaoshe Dong

DOI: https://doi.org/10.1109/INCoS.2011.111

2011-01-01

Abstract:The kernel-level Root kit brings operating system mortal security risk. The existing detection methods, which are based on host environment, have limitations such as high Root kit privileges, weak isolation capacity. If the detected system, which may includes Root kit, and the detection system are resided on guest and host environment respectively, those limitations can be resolved. The paper proposed a method of Root kit detection based on KVM (Kernel-based Virtual Machine) by using virtualization technology. This method adopts guest memory protection mechanism, which is based on protection of host page tables and trusted code segments, for static kernel code and data. As for dynamically allocated code and data in heap space, this method introduces integrity checking mechanism, which is based on threshold triggering of calling sequences of monitored functions. The experimental results showed that this method can prevent static code or data from Root kit attacking effectively, and also detect attacks to dynamically allocated code or data quickly.

Yong-Gang Li,Yeh-Ching Chung,Kai Hwang,Yue-Jin Li

DOI: https://doi.org/10.1109/tc.2020.3022023

2021-01-01

Abstract:Linux servers are being used in almost all clouds, datacenters and supercomputers today. Linux Kernel functions are facing a kind of malware attacks, known as rootkits with root-access capability. The rootkits appear as loadable kernel modules (LKM) in today's Linux servers. These modules hide from other kernel objects, and can redirect the kernel control flow by tampering with the metadata needed in kernel service functions. The kernel rootkits are invisible to users after loading, which may bypass most security shields. Both spatial and temporal appearance of rootkits are randomly distributed, which makes it difficult to detect or removal. To deal with rootkit threats, we propose a novel Virtual Wall (VTW) approach to filtering out the rootkit-embedded LKMs by tracing the incurred kernel activities. This VTW is essentially a lightweight hypervisor built with rootkit detection and event tracing capabilities. Normally, the Linux runs in a guest mode. When a LKM execution violates the security policy set by the VTW, the OS control will switch to a host mode. The VTW at host mode enables the detection and tracing of rootkit events timely. In other words, potential rootkit attacks are detected, traced and classified to make meaningful filtering decisions. The whole detection and tracing process is based on memory access control and event injection mechanisms. Experimental results show that the VTW defense system is effective to detect and defend against kernel rootkits timely. The CPU overhead for executing VTW is less than 2 percent. Compared with other defense schemes (such as DIKernel, etc.), our vs is easier to implement with low performance degradation on Linux servers. We will demonstrate the advantages of VTW through its simplicity in implementation and potential performance gains. We will also compare our system with seven other rootkit defense systems.

Christoph Dorner,Lukas Daniel Klausner

DOI: https://doi.org/10.1145/3664476.3670433

2024-08-01

Abstract:Addressing a critical aspect of cybersecurity in online gaming, this paper systematically evaluates the extent to which kernel-level anti-cheat systems mirror the properties of rootkits, highlighting the importance of distinguishing between protective and potentially invasive software. After establishing a definition for rootkits (making distinctions between rootkits and simple kernel-level applications) and defining metrics to evaluate such software, we introduce four widespread kernel-level anti-cheat solutions. We lay out the inner workings of these types of software, assess them according to our previously established definitions, and discuss ethical considerations and the possible privacy infringements introduced by such programs. Our analysis shows two of the four anti-cheat solutions exhibiting rootkit-like behaviour, threatening the privacy and the integrity of the system. This paper thus provides crucial insights for researchers and developers in the field of gaming security and software engineering, highlighting the need for informed development practices that carefully consider the intersection of effective anti-cheat mechanisms and user privacy.

Cryptography and Security,Computers and Society