Hide 'n seek revisited – full stealth is back
Kimmo Kasslin F-Secure Corporation
download slides (PDF)
Rootkits are designed to hide information. They are no longer utilized only by highly skilled individuals targeting UNIX machines. Advanced Windows rootkits have emerged and are gaining popularity among intruders. The alarming news is that malware writers are adopting rootkit techniques, which allows them to create a new breed of worms, Trojans and spyware that are able to avoid detection by hiding their presence from the observer.
Traditional anti-virus and intrusion detection systems are powerless against this emerging threat since they rely on the validity of the information provided by the operating system. This information cannot be trusted if the kernel or the application programming interfaces are modified by malware.
This paper is a continuation of the academic research done by the author [1]. It provides an introduction to the state-of-the-art hiding techniques utilized by advanced Windows rootkits. This information is essential for understanding the threat and for fighting against it. In addition, new techniques for detecting hidden objects are presented. They form the foundation for the next generation of detection tools. Finally, the paper presents and analyses a new application that brings rootkit detection on to the desktop of home users.
[1] Kasslin, Kimmo, Windows Rootkits: Advanced Hiding Techniques and
Counter-Measures, Master's Thesis, 2005.
