1. Field of the Invention
Embodiments of the present invention generally relate to techniques for detecting malicious software applications, such as a rootkit, and more specifically, to detecting such malicious software applications over a storage area network.
2. Description of the Related Art
As is known, the term rootkit generally refers to a set of software programs intended to conceal running processes, files or system data, allowing a system to remain compromised. Rootkits often modify parts of an operating system or install themselves as drivers or kernel modules (i.e., a dynamically loaded portion of an operating system kernel).
Methods for rootkit detection have been developed that integrate rootkit detection into traditional antivirus products. Such products may be configured to scan for the presence of a rootkit in the memory of a compromised host. However, the rootkit may be configured to recognize that a scan may be about to occur, and respond by removing itself from memory and storing itself on disk in order to hide its presence during the scan process. A “stealth” detector may be configured to find and identify a rootkit that has stored itself in this manner. Similarly, traditional antivirus products may identify the rootkit using “fingerprint” detection for rootkit files stored disk. This combined defense may force attackers to implement counter-attack mechanisms in their rootkit code that forcibly remove security software processes from memory, effectively killing the antivirus program. As with computer security threats, the detection and elimination of rootkits remains an ongoing struggle between the creators of the tools on both sides of the conflict.
A well-constructed rootkit may be very difficult to detect. Specifically, an infected operating system can no longer be trusted to accurately report on the state of memory, processes or files. For example, actions such as requesting a list of all running processes or a list of all files in a directory cannot be trusted to behave as intended by the original designers. Thus, rootkit detectors which run on live systems may work only because a given rootkit may not fully conceal its presence.
Accordingly, what is needed is a technique for detecting rootkits that do not rely on the responses provided by a compromised operating system.