Formal model proposal for (malware) program stealth

Eric Filiol Virology and Cryptology Lab, Army Signals Academy

Recent advances in stealth techniques have dramatically increased the malware hazard. More recently, rootkits like SubVirt or BluePill have strongly challenged the classical capabilities of malware detection.

In this paper, we formalize stealth and rootkits technologies in a far different way that those typically considered, that is to say as a more or less complex set of hooking and kernel subversions.

By comparing stealth or rootkits to steganographic techniques, we propose a new information theoretic-based formalisation that enables us to define the problem of stealth detection in a more powerful and high level way than the existing ones. Consequently, it yields new perspectives of what detection of stealth really is and how to address the relevant problem on a practical basis. In particular, this modelling gives clues and potential practical approaches to detect the most recent rootkit techniques like SubVirt or BluePill.

VB Conferences

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘VB is an excellent conference for networking.’

Poll

Who in your company is responsible for installing software patches?

Leave a comment

VB2009

VB2009 will take place 23-25 September 2009 at the Crowne Plaza Geneva, Switzerland. VB is currently seeking submissions from those wishing to present papers at VB2009. Full details are in the call for papers.

Virus Bulletin currently has 148,292 registered users.

Fighting malware and spam