Fast User-Mode Rootkit Scanner for the Enterprise

نویسندگان

Yi-Min Wang

Doug Beck

چکیده

User-mode resource hiding through API interception and filtering is a well-known technique used by malware programs to achieve stealth. Although it is not as powerful as kernel-mode techniques, it is more portable and reliable and, as a result, widely used. In this paper, we describe the design and implementation of a fast scanner that uses a cross-view diff approach to detect all user-mode hiding Trojans and rootkits. We also present detection results from a large-scale enterprise deployment to demonstrate the effectiveness of the tool.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Advanced Mac Os X Rootkits

The Mac OS X kernel (xnu) is a hybrid BSD and Mach kernel. While Unix-oriented rootkit techniques are pretty well known, Mach-based rootkit techniques have not been as thoroughly publicly explored. This paper covers a variety of rootkit techniques for both user-space and kernel-space rootkits using unique and poorly understood or documented Mac OS X and Mach features.

متن کامل

A Brief Survey on Rootkit Techniques in Malicious Codes

Nowadays, malicious codes are significantly increasing, leading to serious damages to information systems. It is worth to note that these codes generally depend on the rootkit techniques to make it more difficult for themselves to be analyzed and detected. Therefore, it is of paramount importance to research the rootkits to effectively defend against malicious codes. In this paper, we explore a...

متن کامل

Tool review - remote forensic preservation and examination tools

Forensic tools are emerging to help digital investigators preserve evidence on live, remote systems. These tools are applying the precepts of digital forensics to incident response, enterprise policy enforcement, and electronic data discovery. This paper discusses the strengths and shortcomings of ProDiscover IR and EnCase Enterprise Edition in the context of the overall digital investigation p...

متن کامل

Hardware-Assisted Rootkits: Abusing Performance Counters on the ARM and x86 Architectures

In this paper, a novel hardware-assisted rootkit is introduced, which leverages the performance monitoring unit (PMU) of a CPU. By configuring hardware performance counters to count specific architectural events, this research effort proves it is possible to transparently trap system calls and other interrupts driven entirely by the PMU. This offers an attacker the opportunity to redirect contr...

متن کامل

ایجاد نیمه خودکار مشاپ های سازمانی با استفاده از توصیفات معنایی

Mashups are next generation of web applications. A mashup is a lightweight web application that is created by combining information or capabilities from more than one existing resources to deliver a new and integrated experience to the user. Mashups introduce a new class of integration techniques in enterprises for implementing situational applications (i.e. applications that come together to s...

متن کامل

ذخیره در منابع من

ذخیره در منابع من قبلا به منابع من ذحیره شده

{@ msg_add @}

با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

عنوان ژورنال:

دوره شماره

صفحات -

تاریخ انتشار 2005

Fast User-Mode Rootkit Scanner for the Enterprise

نویسندگان

چکیده

منابع مشابه

Advanced Mac Os X Rootkits

A Brief Survey on Rootkit Techniques in Malicious Codes

Tool review - remote forensic preservation and examination tools

Hardware-Assisted Rootkits: Abusing Performance Counters on the ARM and x86 Architectures

ایجاد نیمه خودکار مشاپ های سازمانی با استفاده از توصیفات معنایی

عنوان ژورنال:

اشتراک گذاری