Detecting stealth software with Strider GhostBuster

Stealth malware programs that silently infect enterprise and consumer machines are becoming a major threat to the future of the Internet. Resource hiding is a powerful stealth technique commonly used by malware to evade detection by computer users and anti-malware scanners. In this paper, we focus on a subclass of malware, termed "ghostware", which hide files, configuration settings, processes, and loaded modules from the operating system's query and enumeration application programming interfaces (APIs). Instead of targeting individual stealth implementations, we describe a systematic framework for detecting multiple types of hidden resources by leveraging the hiding behavior as a detection mechanism. Specifically, we adopt a cross-view diff-based approach to ghostware detection by comparing a high-level infected scan with a low-level clean scan and alternatively comparing an inside-the-box infected scan with an outside-the-box clean scan. We describe the design and implementation of the Strider GhostBuster tool and demonstrate its efficiency and effectiveness in detecting resources hidden by real-world malware such as rootkits, Trojans, and key-loggers.

[1]  Yi-Min Wang,et al.  Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files , 2004 .

[2]  Liviu Iftode,et al.  Remote repair of operating system state using Backdoors , 2004, International Conference on Autonomic Computing, 2004. Proceedings..

[3]  Leah H. Jamieson,et al.  Establishing the Genuinity of Remote Computer Systems , 2003, USENIX Security Symposium.

[4]  Helen J. Wang,et al.  Strider: a black-box, state-based approach to change and configuration management and support , 2003, Sci. Comput. Program..

[5]  Pradeep K. Khosla,et al.  SWATT: softWare-based attestation for embedded devices , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[6]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[7]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[8]  Yi-Min Wang,et al.  Persistent-state checkpoint comparison for troubleshooting configuration failures , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[9]  Galen C. Hunt,et al.  Detours: binary interception of Win32 functions , 1999 .

[10]  Liviu Iftode,et al.  Remote repair of operating system state using Backdoors , 2004 .

[11]  Sy-Yen Kuo,et al.  Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management , 2004, LISA.

[12]  Yi-Min Wang,et al.  AskStrider: What Has Changed on My Machine Lately? , 2004 .

[13]  Keith J. Jones,et al.  Loadable Kernel Modules , 2001, Login: The Usenix Magazine.