1. Field of the Invention
The present invention relates to computer systems and, more specifically, to a system, method and computer program product for rootkit detection.
2. Background Art
A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. A computer with a rootkit on it is referred to as a “rootkited” computer.
The term “rootkit” (also written as “root kit”) originally referred to a set of recompiled Unix tools such as “ps,” “netstat,” “w” and “passwd” that would carefully hide any trace of the intruder that those commands would normally display, thus allowing the intruders to maintain “root” on the system without the system administrator even seeing them. Now the term is not generally restricted to Unix-based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a “root” account).
A rootkit typically hides logins, processes, threads, registry keys, files, and logs and may include software to intercept data from terminals, network connections, and the keyboard.
Rootkits come in three different “flavors”: kernel, library and application level kits. Kernel level Rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. This is often accomplished by adding a new code to the kernel via a device driver or loadable module, such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows. Library rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker. Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means. Kernel rootkits can be especially dangerous because they can be difficult to detect without appropriate software.
Rootkits are usually written to the disk storage for activation after operating system restart and are hiddden from the operating system during requests to the file system. “Rootkits” are difficult to detect because they are activated before the operating system has completely booted up and often allows the installation of hidden files, processes and hidden user accounts in the systems OS. Rootkits are usually embedded in operating system processes in a filter-like manner, so that any regular detection means of the operating system cannot get information related to hidden software or software pieces.
One of the difficulties with detecting rootkits is due to the fact that, unlike viruses, rootkits typically activate themselves when the operating system is loaded upon start up of the computer, and rootkits usually acquire system privileges. Also, rootkits typically take steps to mask their existence, and prevent conventional antivirus detection mechanisms from identifying their existence. For example, a typical antivirus program invokes a system function call to identify the processes that are currently running. The rootkit intercepts the function call, and provides its own return parameters to the antivirus software, but masks its own process. Also, the rootkit typically hides the files in which it is stored from conventional antivirus mechanisms that check whether files contain known virus signatures. In other words, the files where the rootkit is stored are never actually checked by the antivirus software, which makes rootkits particularly difficult to detect and cure.
In the context of the Microsoft Windows operating system, a rootkit operates by intercepting the system function calls (so called Windows APIs). Interception and modification of the lower level API functions is the mechanism that rootkits use to mask their presence in the system. Furthermore, rootkits can often mask the presence, in the system, of any descriptions of the rootkit in the process configuration settings, files and folders, register keys, etc. Many rootkits install their own drivers and services into the system. The added drivers and services are also, obviously, masked. U.S. Pat. No. 7,032,114 describes a method of detecting a rootkit, where an initial sample is formed, after which the current sample of operating system is compared with the initial sample, in order to identify the presence of a rootkit.
U.S. Publication Application No. 2006/0168352 describes a conventional method of disinfecting a network node, where an initial snapshot is formed, and a subsequent snapshot, formed during the reboot process, is compared to the original snapshot.
U.S. Pat. No. 6,792,556 describes a conventional method of identifying a virus and computer recovery after being infected by a virus during the boot process, where a snapshot of the system state is saved to a file, and then, during the boot process, a current boot entry is generated, and a comparison of the current boot entry with the snapshot is performed. Based on the comparison, in the case of virus presence, the system is restored from the original snapshot. Furthermore, the snapshot can take a control sum into account.
However, most conventional methods cannot be used to detect the presence of a rootkit, due to its very nature. Furthermore, most of the conventional methods do not guarantee the detection of most rootkits that mask their existence, even where signature comparisons are used.
Accordingly, there is a need in the art for a system and method for a more effective detection and cure of rootkit infected computers.