Rootkit modeling and experiments under Linux

This article deals with rootkit conception. We show how these particular malicious codes are innovative comparing to usual malware like virus, Trojan horses, etc. From that comparison, we introduce a functional architecture for rootkits. We also propose some criteria to characterize a rootkit and thus, to qualify and assess the different kinds of rootkits. We purposely adopt a global view with respect to this topic, that is, we do not restrict our study to the rootkit software. Namely, we also consider the communication between the attacker and his tool, and the induced interactions with the system. Obviously, we notice that the problems faced up during rootkit conception are close to those of steganography, while however showing the limits of such a comparison. Finally, we present a rootkit paradigm that runs in kernel-mode under Linux and also some new techniques in order to improve its stealth features.

[1]  Christopher Krügel,et al.  Detecting kernel-level rootkits through binary analysis , 2004, 20th Annual Computer Security Applications Conference.

[2]  Craig H. Rowland,et al.  Covert Channels in the TCP/IP Protocol Suite , 1997, First Monday.

[3]  Eric Filiol,et al.  A statistical model for undecidable viral detection , 2007, Journal in Computer Virology.

[4]  Frédéric Raynal,et al.  Honeypot Forensics Part I: Analyzing the Network , 2004, IEEE Secur. Priv..

[5]  Manfred Wolf Covert Channels in LAN Protocols , 1989, LANSEC.

[6]  Eric Filiol,et al.  Strong Cryptography Armoured Computer Viruses Forbidding Code Analysis: the Bradley Virus 1 , 2004 .

[7]  P. Biondi,et al.  Honeypot forensics , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[8]  Éric Filiol Computer Viruses: from Theory to Applications , 2005 .

[9]  David Ungar,et al.  Self , 2007, HOPL.

[10]  C. Gray Girling,et al.  Covert Channels in LAN's , 1987, IEEE Transactions on Software Engineering.

[11]  Christian Cachin,et al.  An information-theoretic model for steganography , 1998, Inf. Comput..

[12]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[13]  J. Rutkowska Introducing Stealth Malware Taxonomy , 2006 .

[14]  Bruce Schneier,et al.  Environmental Key Generation Towards Clueless Agents , 1998, Mobile Agents and Security.