1. Field of the Invention
The present invention relates to the field of network security and more particularly to rootkit detection and remediation.
2. Description of the Related Art
Computing security has increasingly become the focus of information technologists who participate in locally and globally accessible computer networks. In particular, with the availability and affordability of network computing, even within the small enterprise, many computers and small computer networks provide access to a substantial number of end users continuously. Notwithstanding, the efficiencies gained, network computing is not without its price. Specifically, those computers and computer networks which heretofore had remained disconnected from the security risks of the Internet now have become the primary target of malicious Internet hackers, crackers and script kiddies, collectively referred to as “malicious hackers”.
Malicious hackers utilize a vast selection of tools to wreak havoc in the computing world. Whereas some tools permit the malicious hacker to launch an attack directly into a computing environment, oftentimes malicious hackers prefer to utilize an intermediary from which to launch an attack. The choice of intermediary largely relates to the desirability of malicious hackers to evade detection. To that end, malicious hackers often seek to transform a host computing platform into a “zombie” platform commanded remotely by the malicious hacker to launch an attack on trusting collegial networks.
In furtherance of the goals of the malicious hacker, a “rootkit” is a collection of programmatic tools that enable administrator-level access to a computer or computer network. Typically, a malicious hacker utilizes the rootkit first by installing the rootkit onto a host after obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit has been installed, the rootkit allows the malicious hacker to mask intrusion and to gain root or privileged access to the host and, possibly, other devices on a common network.
A rootkit generally includes spyware and other programs that monitor traffic and keystrokes. The rootkit commonly also includes program code enabled to create a “backdoor” into a target for use by the malicious hacker. The rootkit yet further often includes program code enabled to alter log files, attack other devices on a common network and to alter existing system tools to escape detection. Though robust in logic, rootkits have become increasingly more difficult to detect all the while having become more common. In this regard, rootkits can avoid detraction by inserting themselves in to the underlying belly of the operating system making it nearly impossible to detect while the operating system executes.
Contemporary rootkit detection software relies upon an analysis of different portions of the infected operating system during execution to identify established hooks into kernel system services of the operating system. To the extent, that system services have been intercepted and modified can indicate the possibility that the safety of the system is at risk and that spyware, viruses or malware are active. Still, most skilled artisans recognize that in many system tools such as monitoring and antivirus software, kernel hooks are the only available technique to achieve a desirable result and thus the presence of kernel hooks alone is not sufficient to identify the presence malware. Additionally, knowing the published operation of hook analysis only provides a circumvention challenge for the malicious hacker.