As used herein a “threat” includes malicious software, also known as “malware” (a portmanteau word of “malicious software”) or “pestware”, which includes software that is included or inserted in a part of a processing system for a harmful purpose. The term threat should be read to include both possible, potential and actual threats. Types of malware can include, but are not limited to, malicious libraries, viruses, worms, Trojans, adware, malicious active content and denial of service attacks. In the case of invasion of privacy for the purposes of fraud or theft of identity, malicious software that passively observes the use of a computer is known as “spyware”.
One of the major features in security programs is to obtain snapshots of the currently running process list and run-time module list in order to detect processes and modules that are already running in the computer. In order to enhance stealth capabilities of malware, malware authors are employing more advanced stealth methods or software, called rootkits, so that normal programs that utilize an operating system API (Application Programming Interface) or third party library are unable to detect and remove threats or malware.
Rootkits intercept control transfer while sitting alongside an execution path to obtain snapshots and return forged information to a security program. Also, an operating system's kernel data can be modified if the rootkit is implemented as a kernel driver.
Normally rootkits are used in combination with detectable malware. As a result the number of malwares that a normal scan by a security program does not detect is increasing. This is a serious problem because this makes the security program believe malware does not exist in a particular system, thus leaving the system open to malicious activities.
A rootkit is a set of software tools frequently used by an intruder after gaining access to a computer system. These software tools are intended to conceal running processes, files or system data, which helps an intruder maintain covert or furtive access to a computer system. A rootkit is not a virus or trojan. Viruses modify a computer system file to propagate itself. Trojans masquerade as software and provide access for a hacker. Both of these techniques are susceptible to detection.
In contrast, a rootkit is intended to allow an intruder access to a computer system without leaving any trace. The term “kit” is used because software components work collectively to achieve the desired covertness or furtiveness. A rootkit can include additional software components for other malicious behaviour, such as “key loggers” and “packet sniffers”.
In order to further enhance stealth capabilities of rootkits, the authors of rootkits are employing more advanced stealth methods so that normal programs that utilise operating system (Application Programming Interfaces) APIs or third party libraries are unable to detect and remove rootkits.
Presently, the stealth of a rootkit and the access to computer systems or operating systems which can be exploited present a significant security threat to computer systems and networks. Often rootkits are used in combination with otherwise normally detectable threats or malware. As a result, the number of threats or malware that normal malware scanning software does not detect is increasing.
Rootkits are generally classified into two categories: (1) user mode (or application level mode) or (2) kernel mode. The former involves elementary binary file replacement while the latter embeds itself intricately into the operating system. Kernel level rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. This is often accomplished by adding new code to the kernel via a device driver or loadable module, such as Loadable Kernel Modules in the Linux operating system or device drivers in the Windows operating system. Kernel rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker. Application level, or user mode, rootkits may replace regular application binaries with Trojan fakes, or they may modify the behaviour of existing applications using hooks, patches, injected code, or other means. Kernel rootkits can be especially dangerous because they can be difficult to detect.
There are inherent limitations to any program that attempts to detect rootkits. Rootkits are collections of programs which can modify the tools or libraries upon which programs on the system depend. Some rootkits can modify the running kernel. A problem with rootkit detection is that the operating system cannot be trusted.
There are many user mode rootkits that intercept Win32 API functions using code injection and return false snapshot information to user mode application programs. Also there are instances of kernel rootkits directly modifying the operating system data structure at an arbitrary time to hide malware processes. This is called Direct Kernel Object Manipulation (DKOM).
DKOM relies upon the fact that the operating system creates kernel objects for bookkeeping and auditing. If a rootkit modifies these kernel objects, the rootkit can subvert what the operating system believes exists on the system. By modifying a token object, the rootkit can alter who the operating system believes performed a certain action, thereby subverting any logging. For example, the “FU rootkit” modifies the kernel object that represents the processes on the system. All the kernel process objects are linked. When a user process such as TaskMgr.exe queries the operating system for the list of processes through an API, Windows walks the linked list of process objects and returns the appropriate information. The FU rootkit unlinks the process object of the process it is hiding. Therefore, as far as many applications are concerned, the process does not exist.
Process:
A process is at least one of a running software program or other computing operation, or a part of a running software program or other computing operation, that performs a task. A process is a running instance of a program, including all variables and other states. A multitasking operating system may switch between processes to give the appearance of many processes executing concurrently or simultaneously, though in fact only one process can be executing at any one time per CPU thread.
Module:
A module is a software entity that groups a set of subprograms and data structures. Modules are units that can be compiled separately, which makes modules reusable and allows more than one programmer to work on different modules simultaneously. For example, in Microsoft Windows®, a module could be an executable program, a DLL (Dynamic Link Library), or a kernel driver.
Kernel Mode:
The kernel mode refers to one of the CPU (Central Processing Unit) modes that provides completely unrestricted operation of the CPU. In kernel mode, the CPU may perform any operation provided for by its architecture. Any instruction may be executed, any I/O (Input/Output) operation may be initiated, any area of memory may be accessed, etc.
User Mode:
The user mode refers to one of the CPU modes that has limited operation of the CPU. In user mode, certain restrictions on CPU operations are enforced by hardware. Typically, certain instructions are not permitted, I/O operations may not be initiated and some areas of memory cannot be accessed, etc. Usually the user mode capabilities of the CPU are a subset of the kernel mode capabilities, but in some cases (such as hardware emulation of non-native architectures), they may be significantly different from kernel capabilities, and not just a subset of them.
Kernel Driver:
A kernel driver is a specific type of software running in kernel mode, typically developed to control software and hardware devices or to provide security both for user mode application programs and the operating system.
Hash Table:
A hash table, or a hash map, is a data structure that associates keys with values. The primary operation a hash table supports is a lookup: given a key (e.g. a person's name), find the corresponding value (e.g. that person's telephone number). This works by transforming the key using a hash function into a hash, a number that the hash table uses to locate the desired value.
Hash Function:
A hash function (or Message Digest (MD)) is a technique used to establish whether a file transmitted over a network has been tampered with. A hash function uses a mathematical rule which, when applied to the file, generates a number, usually between 128 and 512 bits. This number is then transmitted with the file to a recipient who reapplies the mathematical rule to the file and compares the resulting number with the original number. If the resulting number and the original number are the same then there is a high probability that the message has not been tampered with, otherwise it is probable that the message has been tampered with.
Filter Program:
A filter program is a program that takes control of the execution of a program, and that can monitor, redirect, alter the execution path, or forge the result. A filter program can be located anywhere between one or more programs, for example in an operating system, and a file system(s). A filter program may be part of a rootkit.
File System:
A file system is a system for organising directories and files, generally in terms of how the file system is implemented in the operating system. File systems may, but need not necessarily, use a storage device, such as a hard disk, or they may be virtual and exist only as an access method for virtual data or for data over a network. More formally, a file system is a set of abstract data types that are implemented for the storage, hierarchical organisation, manipulation, navigation, access, and retrieval of data. File systems need not make use of a storage device at all, a file system can be used to organise and represent access to any data, whether it be stored or dynamically generated (eg., from a network connection).
Computer System:
A computer system may be a type of processing system, terminal, computer or computerised device, personal computer (PC), mobile or cellular telephone, mobile data terminal, portable computer, Personal Digital Assistant (PDA), pager or any other similar type of device. The capability of such a computer system to process, request and/or receive information or data can be provided by software, hardware and/or firmware. A computer system may include or be associated with other devices, for example a local data storage device such as a hard disk drive or solid state drive. A computer with a rootkit is sometimes called a rooted computer.
There is a need for a method, system, computer program product and/or computer readable medium of instructions which addresses or at least ameliorates one or more problems inherent in the prior art.
The reference in this specification to any prior publication (or information derived from the prior publication), or to any matter which is known, is not, and should not be taken as an acknowledgment or admission or any form of suggestion that the prior publication (or information derived from the prior publication) or known matter forms part of the common general knowledge in the field of endeavour to which this specification relates.