1. Field of the Invention
The present invention relates to the protection of computer systems. More particularly, the present invention relates to a method and apparatus for detecting hidden network communication channels of rootkits on a computer system.
2. Description of Related Art
A rootkit can be generally described as a set of programs or codes that allows the rootkit itself, and typically some additional programs or codes, to maintain an undetectable presence on a computer. As a rootkit is typically undetected by a user of a computer system, rootkits are typically categorized as malicious code.
Current computer system attackers use a variety of rootkit implementations to hide their activities on a computer system. When an attacker compromises a computer system, the rootkit typically maintains an access point into the computer system, e.g., a backdoor, that can be used to access the computer system and to pull discovered information out over a hidden communication channel.
To ensure its activity and access point remains available, the rootkit typically hides its presence on the computer system. For example, some rootkits hide their files and processes, erase their activity, and alter information returned to a user or the computer system to conceal their presence on the computer system. Together with file related events rootkits also hide network ports, network connections and network related events.