Spy vs. Spy: counter-intelligence methods for backtracking malicious intrusions

Advanced malicious software threats have become commonplace in cyberspace, with large scale cyber threats exploiting consumer, corporate and government systems on a constant basis. Regardless of the target, upon successful infiltration into a target system an attacker will commonly deploy a backdoor to maintain persistent access as well as a rootkit to evade detection on the infected machine. If the attacked system has access to classified or sensitive material, virus eradication may not be the best response. Instead, a counter-intelligence operation may be initiated to track the infiltration back to its source. It is important that the counter-intelligence operations are not visible to the infiltrator. Rootkits can not only hide the malware, they can also be used to hide the detection and analysis operations by the defenders from the malware. This paper surveys the rootkit literature for their applicability to counter-intelligence operations.

[1]  Bryan Krekel,et al.  Capability of the People's Republic of China to Conduct Cyber Warfare and Computer Network Exploitation , 2009 .

[2]  Brian D. Noble,et al.  When Virtual Is Better Than Real , 2001 .

[3]  Frank Adelstein,et al.  Live forensics: diagnosing your system without killing it first , 2006, CACM.

[4]  Mark Russinovich,et al.  Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer) , 2004 .

[5]  David Lie,et al.  Hypervisor Support for Identifying Covertly Executing Binaries , 2008, USENIX Security Symposium.

[6]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  Bill Blunden The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System , 2009 .

[8]  Daniel D. Nerenberg,et al.  A Study of Rootkit Stealth Techniques and Associated Detection Methods , 2012 .

[9]  Daniel Ramsbrock,et al.  Mitigating the Botnet Problem: From Victim to Botmaster , 2008 .

[10]  Cliff Changchun Zou,et al.  SMM rootkits: a new breed of OS independent malware , 2008, SecureComm.

[11]  Felix C. Freiling,et al.  Walowdac - Analysis of a Peer-to-Peer Botnet , 2009, 2009 European Conference on Computer Network Defense.

[12]  Andreas Bunten UNIX and Linux based Rootkits Techniques and Countermeasures , 2004 .

[13]  Greg Hoglund,et al.  Rootkits: Subverting the Windows Kernel , 2005 .

[14]  Pradeep K. Khosla,et al.  Externally verifiable code execution , 2006, CACM.

[15]  John Clark,et al.  Compromise through USB-based Hardware Trojan Horse device , 2011, Future Gener. Comput. Syst..