1. Field of the Invention
Embodiments of the present invention generally relate to computer security, more particularly, to a method and apparatus for detecting a rootkit within a computer system.
2. Description of the Related Art
Many computing environments (e.g., computer networks, home computers and the like) are constantly under alert for attacks orchestrated through various programs. Typically, the various programs (e.g., sets of processor-executable instructions) are developed by attackers (e.g., hackers) who desire to disrupt the operations of the computing environment. For example, rootkits are employed to illegitimately obtain system administrator rights to the computing environment and use the system administrator status to exert command and control over various components of the computing environment.
Rootkits, generally comprise software programs that enable the attacker to become the system administrator. Typically, the attacker installs the rootkit on a computer after first obtaining user-level access, either by exploiting a known vulnerability or cracking a password. Once the rootkit is installed, it allows the attacker to mask the intrusion and avoid detection by known anti-rootkit methods as well as to gain privileged access (e.g., root or system administrator level access) to the computer and, possibly, other computers in the computing environment. With privileged access, the attacker can execute files and change system configurations. The attacker may also access operating system log files and/or covertly spy on the computer and/or computing environment.
Anti-rootkit detection and/or removal software developers and rootkits developers are playing a game of cat and mouse where each side develops software to overcome an improvement developed by the other side. For example, the rootkit developers almost immediately create software to avoid detection by the latest anti-rootkit software. For example, various types of anti-rootkit software detect rootkits by comparing files names read from the Master File Table (MFT) records with files names returned from one or more functions (e.g., FindFirstFile( ), FindNextFile( ) and the like) implemented in the WIN32 (i.e. Windows 32-bit) Application Programming Interface (API). Discrepancies identified by the comparison indicate the presence of the rootkit. Rootkit developers, however, quickly modified their methodology and masked their intrusion from the above detection mechanism, thereby rendering the various types of the anti-rootkit software ineffective.
Therefore, there is a need for a method and apparatus for efficiently detecting a rootkit within a computer system when the rootkit modifies file system information.