Automated containment of rootkits attacks

Rootkit attacks are a serious threat to computer systems. Packaged with other malwares such as worms, viruses and spyware, rootkits pose a more potent threat than ever before by allowing malware to evade detection. In the absence of appropriate tools to counter such attacks, compromised machines stay undetected for extended periods of time. Leveraging virtual machine technology, we propose a solution for real-time automated detection and containment of rootkit attacks. We have developed a prototype using VMware Workstation to illustrate the solution. Our analysis and experimental results indicate that this approach can very successfully detect and contain the effects of a large percentage of rootkits found for Linux today. We also demonstrate with an example, how this approach is particularly effective against malwares that use rootkits to hide.

[1]  Yi-Min Wang,et al.  Detecting stealth software with Strider GhostBuster , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[2]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[3]  Eyal de Lara,et al.  The taser intrusion recovery system , 2005, SOSP '05.

[4]  Sy-Yen Kuo,et al.  Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management , 2004, LISA.

[5]  Kevin Borders,et al.  Towards protecting sensitive files in a compromised system , 2005, Third IEEE International Security in Storage Workshop (SISW'05).

[6]  Информатика Advanced Intrusion Detection Environment , 2010 .

[7]  Beng-Hong Lim,et al.  Virtualizing I/O Devices on VMware Workstation's Hosted Virtual Machine Monitor , 2001, USENIX Annual Technical Conference, General Track.

[8]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[9]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[10]  George Varghese,et al.  Automated Worm Fingerprinting , 2004, OSDI.

[11]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[12]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[13]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[14]  Tzi-cker Chiueh,et al.  Design, implementation, and evaluation of repairable file service , 2003, 2003 International Conference on Dependable Systems and Networks, 2003. Proceedings..

[15]  Henry L. Owen,et al.  Re-establishing Trust in Compromised Systems: Recovering from Rootkits That Trojan the System Call Table , 2004, ESORICS.

[16]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[17]  William A. Arbaugh,et al.  An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data , 2006, USENIX Security Symposium.

[18]  T. Mitchem,et al.  Using kernel hypervisors to secure applications , 1997, Proceedings 13th Annual Computer Security Applications Conference.

[19]  William A. Arbaugh,et al.  Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor , 2004, USENIX Security Symposium.

[20]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[21]  William A. Arbaugh,et al.  Using Independent Auditors as Intrusion Detection Systems , 2002, ICICS.

[22]  Helen J. Wang,et al.  SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[23]  Carl A. Waldspurger,et al.  Memory resource management in VMware ESX server , 2002, OSDI '02.

[24]  Daniel P. W. Ellis,et al.  Worm anatomy and model , 2003, WORM '03.

[25]  Gil Neiger,et al.  Intel virtualization technology , 2005, Computer.