Exploring Rootkit Detectors' Vulnerabilities Using a New Windows Hidden Driver Based Rootkit

Abstract

More and more malware writers are taking advantage of rootkits to shield their illegal activities. Any computer security products that are not equipped with the anti-rootkit functionality may not identify this kind of threat. Thus, the role of a rootkit detector is becoming extremely important. Though much research has been focused on kernel data to develop schemes for finding malicious behaviors and undoubtedly they can effectively detect hooking based or virtual machine based rootkits in Linux or Windows, they cannot foresee what the result is when meeting unknown Windows DKOM (Direct Kernel Object Manipulation) based rootkits. In this paper, we develop a new Windows driver-hidden rootkit with five tricks based on DKOM, and have verified that it can successfully avoid a variety of well-known rootkit detectors. This paper spots the weaknesses of current detectors, and also discusses possible remedies and solution for detecting the proposed subtle rootkit. We expect that this research will contribute to the development of rootkit detection methods for Windows hidden driver based rootkits.

DOI: 10.1109/SocialCom.2010.127

Extracted Key Phrases

8 Figures and Tables

Cite this paper

@article{Tsaur2010ExploringRD, title={Exploring Rootkit Detectors' Vulnerabilities Using a New Windows Hidden Driver Based Rootkit}, author={Woei-Jiunn Tsaur and Yuh-Chen Chen}, journal={2010 IEEE Second International Conference on Social Computing}, year={2010}, pages={842-848} }