| A new battle – Rootkits on Windows |
| Eric Uday Kumar - Authentium Bio |
| The Windows platform has become an attractive target for malicious software (malware) not only because of its massive installed base but also because of the exciting technical challenge it presents with its many undocumented APIs. In recent years, the use of stealth techniques in malware has grown tremendously. The term “rootkit” has come to be associated with malware that conceals its activities using stealth techniques, aiding and abetting their spread. Their advent has been seen in both legitimate and illegitimate software. Rootkits are now not just confined to aiding Trojans but spyware, adware, and commercial applications as well. In this paper we discuss emerging trends in rootkit technology for the Windows platform and offer a perspective on their future. We will shed light on some of the popular rootkits such as NTRootkit, He4Hook, AFXrootkit, FURootkit, HackerDefender and the new proof-of-concepts like Shadow Walker and Virtual Machine based rootkits (VMBR). The use of sophisticated stealth techniques makes detecting rootkits and stopping the damage they cause a significant challenge. On-line collaborated efforts from websites and discussion groups to freely downloadable rootkit code and binaries have escalated this relatively new emerging threat. From a view to counteract this threat we also discuss emerging trends and tools in rootkit detection technology. Some of the tools discussed are BlackLight, RootkitReveler, Klister/Flistr, IceSword, VICE, etc. While an attacker needs to find a single hole to breach security in a system, the attacked needs to plug all plausible avenues of attack. The paper discusses preventive measures to guard these avenues of attack by understanding the ways of the attacker. Nonetheless, to stay abreast of malware authors, rootkit detection techniques have to constantly evolve as new techniques to “subvert” the Windows kernel are devised. |
I am originally from India and moved to Louisiana, USA in Aug 2002 to pursue Graduate Studies. Graduated from University of Louisiana at Lafayette in Dec 2004 with a Masters in Computer Science. My Masters thesis titled “Abstract Stack Graph as a representation to Detect Obfuscated Calls in Binaries” is a static analysis method to discover obfuscated calls. http://www.cacs.louisiana.edu/~arun/papers/uday-kumar-thesis-dec2004.pdf A paper relating to this was published in “Proceedings of Fourth IEEE International workshop on Source Code analysis and Manipulation” http://www.cs.virginia.edu/~soffa/cs851/stackshape-scam2004.pdf I currently work for Authentium Inc. as an Anti-Virus Research Engineer (have been working here since June 01, 2005).