Rootkits Sec4 Draft

From CyberSecurity
Revision as of 22:41, 25 November 2005 by Jalsalam (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Section Four: Responses

Research is being conducted along a number of threads to combat rootkits. Common rootkit signatures are being added to security packages (references), but this thread is vulnerable both to polymorphic code and the hiding activities which define rootkits. Other methods involve the cataloging of techniques commonly used by rootktis, such as API hooks. These methods are vulnerable, because it is not guaranteed that you can monitor all the API’s that rootkits might hook, and it is also difficult to distinguish legitimate from malicious hooks. New research is being conducted in generalized rootkit detection methods that look for the effects of rootkits – hidden files or processes. These methods involve comparison between multiple methods of querying files or processes, ideally one “infected view” which contains the “lie” and one clean view which contains the “truth” from which comparisons can be made. The truth can be constructed in a variety of ways – through known good backups, through low-level API’s which are less likely to be infected than high-level API’s, or through the examination of resources from a known good operating system, which could be an external machine or a clean boot CD.

  • Signature Detection
    • MS Anti-spyware beta, big security products
  • API hooks or method detection
    • VICE
  • Multiple view comparisons
    • F-secure blacklight, rootkit revealer, strider ghostbuster
Retrieved from "http://cubist.cs.washington.edu/CyberSecurity/index.php?title=Rootkits_Sec4_Draft&oldid=2915"