ABSTRACT
Kernel-mode rootkits hide objects such as processes and threads using a technique known as Direct Kernel Object Manipulation (DKOM). Many forensic analysis tools attempt to detect these hidden objects by scanning kernel memory with handmade signatures; however, such signatures are brittle and rely on non-essential features of these data structures, making them easy to evade. In this paper, we present an automated mechanism for generating signatures for kernel data structures and show that these signatures are robust: attempts to evade the signature by modifying the structure contents will cause the OS to consider the object invalid. Using dynamic analysis, we profile the target data structure to determine commonly used fields, and we then fuzz those fields to determine which are essential to the correct operation of the OS. These fields form the basis of a signature for the data structure. In our experiments, our new signature matched the accuracy of existing scanners for traditional malware and found processes hidden with our prototype rootkit that all current signatures missed. Our techniques significantly increase the difficulty of hiding objects from signature scanning.
- 90210. Bypassing Klister 0.4 with no hooks or running a controlled thread scheduler. https://www.rootkit.com/newsread.php?newsid=235.Google Scholar
- A. Baliga, V. Ganapathy, and L. Iftode. Automatic inference and enforcement of kernel data structure invariants. In Proceedings of the 24th Annual Computer Security Applications Conference (ACSAC), Anaheim, California, USA, 2008. Google ScholarDigital Library
- P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating systems principles (SOSP), Bolton Landing, NY, 2003. Google ScholarDigital Library
- D. E. Bell and L. J. LaPadula. Secure computer systems: Mathematical foundations. Technical Report MTR-2547, MITRE Corp., Bedford, MA, 1973.Google Scholar
- C. Betz. MemParser. http://sourceforge.net/projects/memparser.Google Scholar
- bugcheck. GREPEXEC: Grepping executive objects from pool memory. Uninformed Journal, 4, 2006.Google Scholar
- J. Butler. FU rootkit. http://www.rootkit.com/project.php?id=12.Google Scholar
- T. M. Chilimbi, B. Davidson, and J. R. Larus. Cache-conscious structure definition. In Proceedings of the ACM SIGPLAN 1999 conference on Programming language design and implementation (PLDI), Atlanta, GA, 1999. Google ScholarDigital Library
- M. Christodorescu and S. Jha. Testing malware detectors. In Proceedings of the 2004 ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA), Boston, MA, 2004. Google ScholarDigital Library
- A. Cozzie, F. Stratton, H. Xue, and S. T. King. Digging for data structures. In Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2008. Google ScholarDigital Library
- T. Detristan, T. Ulenspiegel, Y. Malcom, and M. S. von Underduk. Polymorphic shellcode engine using spectrum analysis. http://www.phrack.com/issues.html?issue=61&id=9, 2003.Google Scholar
- M. D. Ernst, J. H. Perkins, P. J. Guo, S. McCamant, C. Pacheco, M. S. Tschantz, and C. Xiao. The Daikon system for dynamic detection of likely invariants. Science of Computer Programming, 69(1--3), 2007. Google ScholarDigital Library
- F-Secure. A different twist on the path to the kernel. http://www.f-secure.com/weblog/archives/00001507.html, 2008.Google Scholar
- P. Fogla and W. Lee. Evading network anomaly detection systems: formal reasoning and practical techniques. In Proceedings of the 13th ACM conference on Computer and communications security (CCS), Alexandria, VA, 2006. Google ScholarDigital Library
- J. E. Forrester and B. P. Miller. An empirical study of the robustness of Windows NT applications using random testing. In Proceedings of the 4th conference on USENIX Windows Systems Symposium (WSS), Seattle, WA, 2000. Google ScholarDigital Library
- M. V. Gundy, H. Chen, Z. Su, and G. Vigna. Feature omission vulnerabilities: Thwarting signature generation for polymorphic worms. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC), Miami Beach, FL, 2007.Google ScholarCross Ref
- X. Jiang, X. Wang, and D. Xu. Stealthy malware detection through VMM-based "out-of-the-box" semantic view reconstruction. In Proceedings of the 14th ACM conference on Computer and communications security (CCS), Alexandria, VA, 2007. Google ScholarDigital Library
- S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. Antfarm: tracking processes in a virtual machine environment. In Proceedings of the USENIX Annual Technical Conference (ATEC), Boston, MA, 2006. Google ScholarDigital Library
- S. T. Jones, A. C. Arpaci-Dusseau, and R. H. Arpaci-Dusseau. VMM-based hidden process detection and identification using lycosid. In Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments (VEE), Seattle, WA, 2008. Google ScholarDigital Library
- J. Kephart and W. Arnold. Automatic extraction of computer virus signatures. In Proceedings of the 4th International Virus Bulletin Conference (VB), Jersey, Channel Islands, UK, 1994.Google Scholar
- H.-A. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In Proceedings of the 13th conference on USENIX Security Symposium, volume 13, San Diego, CA, 2004. Google ScholarDigital Library
- C. Kreibich and J. Crowcroft. Honeycomb: creating intrusion detection signatures using honeypots. ACM SIGCOMM Computer Communication Review, 34(1), 2004. Google ScholarDigital Library
- Z. Li, M. Sanghi, Y. Chen, M.-Y. Kao, and B. Chavez. Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, Oakland, CA, 2006. Google ScholarDigital Library
- B. P. Miller, L. Fredriksen, and B. So. An empirical study of the reliability of UNIX utilities. Communications of the ACM, 33(12), 1990. Google ScholarDigital Library
- B. P. Miller, D. Koski, C. Pheow, and L. V. Maganty. Fuzz revisited: A re-examination of the reliability of UNIX utilities and services. Technical report, 1995.Google Scholar
Index Terms
- Robust signatures for kernel data structures
Recommendations
Evasion-resistant malware signature based on profiling kernel data structure objects
CRISIS '12: Proceedings of the 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS)Malware authors attempt in an endless effort to find new methods to evade the malware detection engines. A popular method is the use of obfuscation technologies that change the syntax of malicious code while preserving the execution semantics. This ...
Hybrid Analysis Technique to detect Advanced Persistent Threats
Advanced persistent threats APT are major threats in the field of system and network security. They are extremely stealthy and use advanced evasion techniques like packing and behaviour obfuscation to hide their malicious behaviour and evade the ...
Enhancing byte-level network intrusion detection signatures with context
CCS '03: Proceedings of the 10th ACM conference on Computer and communications securityMany network intrusion detection systems (NIDS) use byte sequences as signatures to detect malicious activity. While being highly efficient, they tend to suffer from a high false-positive rate. We develop the concept of contextual signatures as an ...
Comments