Challenges in kernel-mode memory scanning

Aditya Kapoor McAfee
Rachit Mathur McAfee

Recent times have seen a rapid adoption of kernel-mode techniques among malware. Most new threats have at least one kernel-mode component if they do not operate entirely from the kernel. Kernel-mode memory scanners have become an imperative component of AV. This article presents a novel approach for kernel-mode memory scanning. We will reveal for the first time Avert Labs' patent-pending 'hook-based' memory scanning technology. We first explain the requirements for a memory scanner and then discuss the challenges we faced during implementation.

Obviously, an anti-virus scanner should be able to identify and clean a rootkit when the rootkit is running.

The challenge lies not only in detecting that something suspicious is hidden on the system in all cases, but also in detection based on the bytes of the rootkit in order to classify them into specific families and in a short amount of time. We will discuss how we create efficient and extremely generic memory footprints.

Another challenge is to remove the rootkit once detected. An elegant scanner should make every attempt possible to remove the rootkit safely without rebooting the computer. To achieve this, in most cases there is a need to restore any modifications made by the rootkit. For example, if the scanner can restore user-mode and kernel-mode hooks the rootkit may be deleted without the need for a system reboot. The method to restore the hook is a challenging problem to solve. We will explain how this technology enables us to achieve dynamic memory restoration even in the most complex of cases like Mebroot (aka StealthMBR, Cutwail etc.). This is often a requirement in many enterprise environments where there are critical servers that administrators are reluctant to reboot.

Finally, we outline the advantages of this approach - such as how it eliminates the need for us to release stand-alone tools for specific threats, allowing us to deliver robust solutions through normal signature updates.

VB Conferences

VB2011 (Barcelona)

VB2010 (Vancouver)

VB2009 (Geneva)

VB2008 (Ottawa)

VB2007 (Vienna)

VB2006 (Montréal)

VB2005 (Dublin)

VB2004 (Chicago)

VB2003 (Toronto)

VB2002 (New Orleans)

VB2001 (Prague)

VB2000 (Orlando)

VB99 (Vancouver)

VB98 (Munich)

VB97 (San Francisco)

VB96 (Brighton)

VB95 (Boston)

VB94 (Jersey)

VB93 (Amsterdam)

VB92 (Edinburgh)

VB91 (Jersey)

‘I attend a variety of security conferences and events each year and VB continues to be my favourite. Great content, great networking, great organisation.’

Poll

Do you use the same password(s) across multiple websites?

Leave a comment
View 4 comments

VB100 certification

This month VB's test team put 26 products to the test on Windows Server 2008. John Hawes has the full results.
See full results.

Virus Bulletin currently has 190,961 registered users.

Fighting malware and spam