1. Field of the Invention
The present invention relates to detection of rootkits and other malware.
2. Background Art
Typically, an operating system of a computer system includes a file system to provide users with an interface while working with data on the computer system's disk and to provide the shared use of files by several users and processes. Generally, the term “file system” encompasses the totality of all files on the disk and the sets of data structures used to manage files, such as, for example, file directories, file descriptors, free and used disk space allocation tables, and the like. Accordingly, end users generally regard the computer file system as being composed of files and a number of directories. Each file usually stores data and is associated with a symbolic name. Each directory may contain subdirectories, files or both. The files and directories are typically stored on a disk or similar storage device. File systems may provide several functions. As discussed above, the most basic task of a file system is to provide access to files. File systems may also enhance system performance with additional functions such as, for example, caching, access markers and fault-tolerance.
Operating systems such as UNIX, Linux and Microsoft Windows manage computer file systems by defining a file object hierarchy. A file object hierarchy begins with a root directory and proceeds down the file tree.
The file address is then described as an access path, e.g., a succession of directories and subdirectories leading to the file. This process of assigning a file address is called access path analysis or path traverse. For instance, the path “/r/a/b/file” contains the root directory (/), subdirectories “r”, “a” and “b” and then the file. Typically, the processes within an operating system interact with the file system with a regular set of functions. For example, these functions usually include open, close, write and other system calls. For instance, a file may be opened by the open functions and this function acquires the file name as a target.
The FAT (file allocation table) file system in MS-DOS uses a throughwrite algorithm, in which renewals are performed immediately, e.g., the cache memory is written to at the same time as main memory. Unlike careful write, this method does not demand input operations sorting from the file system to prevent a violation of integrity. The main advantage of file systems with careful write is that, in case of a failure, the disk volume remains intact and can still be used—an intermediate launch of a volume recovery utility is not required. A volume recovery utility is needed for correction of predictable, non-destructive failures of the disk integrity that occur as a result of a failure. But this type of utility can generally be run at any time, usually when the system reboots. However, file systems with careful write have some disadvantages such as, for example, low performance, redundant non-optimized accesses to a disk, among other drawbacks.
Generally, NTFS supports recovery of the file system using the concept of an atomic transaction. An atomic transaction is an operation in which either all of the steps in the operation succeed, or they all fail, e.g., either all actions of the transaction happen or none happen. Atomic transactions are commonly used to perform data modifications in a data store, where either all the data relating to the operation is successfully modified, or none of it is modified and the data remains as it was before the operation started. Accordingly, single changes on the disk composing a transaction may be performed atomically, e.g., during the transaction, all required changes are to be moved to disk. If the transaction is interrupted by a file system failure, modifications performed by the current moment are cancelled. After back-off, the database returns to the initial consistent state that it possessed before the transaction began.
Examples of journalled file systems include ReiserFS, JFS, XFS (Extended File System), ext3 and NTFS. A journaling file system may relocate the journal to another independent device to provide asynchronous access for the purposes of optimization. For instance, XFS and ReiserFS may use relocated journals.
The development of file systems demonstrates that fault-tolerance and recoverability of file systems after failures are important design considerations. To provide maximum reliability, it is necessary to periodically copy all files as an immediate copy or cast of the file system, e.g., a snapshot. By its functionality, a snapshot is very similar to the journal of a recoverable file system, as they can both restore the system to the integral state. A snapshot guarantees full data recovery, but incurs high expenses in creation and storage.
Snapshot creation generally involves sector by sector copying of the whole file system, i.e., service information and data. If the file system is currently active, then files may be modified during copying—some files can be open for writing or locked, for example. In the simplest case, the file system can be suspended for some time and during that time a snapshot is recorded. Of course, such an approach cannot be applied to servers where uninterruptible activity of the file system is necessary.
A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. A computer with a rootkit on it is called a “rooted” computer.
The term “rootkit” (also written as “root kit”) originally referred to a set of recompiled Unix tools such as “ps,” “netstat,” “w” and “passwd” that would carefully hide any trace of the intruder that those commands would normally display, thus allowing the intruders to maintain “root” on the system without the system administrator even seeing them. Generally now the term is not restricted to Unix-based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a “root” account).
A rootkit typically hides logins, processes, files, and logs and may include software to intercept data from terminals, network connections, and the keyboard.
Rootkits come in three different flavors: kernel, library and application level kits. Kernel level Rootkits add additional code and/or replace a portion of kernel code with modified code to help hide a backdoor on a computer system. This is often accomplished by adding new code to the kernel via a device driver or loadable module, such as Loadable Kernel Modules in Linux or device drivers in Microsoft Windows. Library rootkits commonly patch, hook, or replace system calls with versions that hide information about the attacker. Application level rootkits may replace regular application binaries with trojanized fakes, or they may modify the behavior of existing applications using hooks, patches, injected code, or other means. Kernel rootkits can be especially dangerous because they can be difficult to detect without appropriate software.
In any case, rootkits are usually written to the disk storage for activation after operating system restart and are hidden from the operating system during requests to the file system.
The present invention is therefore related to an operating system malware monitoring means and may be used when the operating system is exposed to attack by malicious software than could not be detected by the conventional means. “Rootkits” are difficult to detect because they are activated before the operating system has completely booted up and often allows the installation of hidden files, processes and hidden user accounts in the systems OS. Rootkits are usually embedded in operating system processes in a “filter-like” manner, so that any regular detection means of the operating system cannot get information related to hidden software or software pieces.
One of the difficulties with detecting rootkits is due to the fact that, unlike viruses, rootkits typically activate themselves when the operating system is loaded upon start up of the computer, and rootkits usually acquire system privileges. Also, rootkits typically take steps to mask their existence, and prevent conventional antivirus detection mechanisms from identifying their existence. For example, a typical antivirus program invokes a system function call to identify the processes that are currently running. The rootkit intercepts the function call, and provides its own return parameters to the antivirus software, but masks its own process. Also, the rootkit typically hides the files in which it is stored from conventional antivirus mechanisms that check whether files contain known virus signatures—in other words, the files where the rootkit is stored are never actually checked by the antivirus software. This makes rootkits particularly difficult to detect and handle.
The most common way to detect rootkits is by using snapshot in common with another file system driver for scanning disk operating system and data stored on the disk drive, so rootkit and/or virus will not be able to intercept antivirus request for virus/rootkit files.
Note that a search for hidden virus/rootkit files from the operating system and file system can be used/
Also note that search for virus/rootkit files and part of files can be used with using a data base(s) of an antivirus(es) or known virus/rootkit file names, part of file names, part of files.
This method has a significant disadvantage, since analysis of permanently changed content of the disk drive cannot be completed at any point in time. On the other hand, offline analysis of the disk content is sometimes unacceptable, if a server or computer needs to be disconnected from a network for a long time.