Temporal search: detecting hidden malware timebombs with virtual machines
Proceedings of the 12th international conference on Architectural support for programming languages and operating systems
A Smart Fuzzer for x86 Executables
SESS '07 Proceedings of the Third International Workshop on Software Engineering for Secure Systems
Mining specifications of malicious behavior
Proceedings of the the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on The foundations of software engineering
Mining specifications of malicious behavior
ISEC '08 Proceedings of the 1st India software engineering conference
Virtual machine-provided context sensitive page mappings
Proceedings of the fourth ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
Self-signed executables: restricting replacement of program binaries by malware
HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
ATC'07 2007 USENIX Annual Technical Conference on Proceedings of the USENIX Annual Technical Conference
Learning and Classification of Malware Behavior
DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
Ether: malware analysis via hardware virtualization extensions
Proceedings of the 15th ACM conference on Computer and communications security
Proceedings of the 15th ACM conference on Computer and communications security
Eureka: A Framework for Enabling Static Malware Analysis
ESORICS '08 Proceedings of the 13th European Symposium on Research in Computer Security: Computer Security
Multi-aspect profiling of kernel rootkit behavior
Proceedings of the 4th ACM European conference on Computer systems
Shepherding Loadable Kernel Modules through On-demand Emulation
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
The user is not the enemy: fighting malware by tracking user intentions
Proceedings of the 2008 workshop on New security paradigms
Toward Revealing Kernel Malware Behavior in Virtual Execution Environments
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Identification of Malicious Web Pages by Inductive Learning
WISM '09 Proceedings of the International Conference on Web Information Systems and Mining
Defeating return-oriented rootkits with "Return-Less" kernels
Proceedings of the 5th European conference on Computer systems
Improving the efficiency of dynamic malware analysis
Proceedings of the 2010 ACM Symposium on Applied Computing
A forced sampled execution approach to kernel rootkit identification
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
OSDI'08 Proceedings of the 8th USENIX conference on Operating systems design and implementation
Effective and efficient malware detection at the end host
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
A control point for reducing root abuse of file-system privileges
Proceedings of the 17th ACM conference on Computer and communications security
VM-based security overkill: a lament for applied systems security research
Proceedings of the 2010 workshop on New security paradigms
Misleading malware similarities analysis by automatic data structure obfuscation
ISC'10 Proceedings of the 13th international conference on Information security
Characterizing kernel malware behavior with kernel data access patterns
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
Deriving common malware behavior through graph clustering
Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security
A specification based intrusion detection framework for mobile phones
ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
From prey to hunter: transforming legacy embedded devices into exploitation sensor grids
Proceedings of the 27th Annual Computer Security Applications Conference
Defending embedded systems with software symbiotes
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Static detection of unsafe component loadings
CC'12 Proceedings of the 21st international conference on Compiler Construction
Quantitative analysis for privacy leak software with privacy Petri net
Proceedings of the ACM SIGKDD Workshop on Intelligence and Security Informatics
Host based attack detection using system calls
Proceedings of the Second International Conference on Computational Science, Engineering and Information Technology
ISC'07 Proceedings of the 10th international conference on Information Security
Down to the bare metal: using processor features for binary analysis
Proceedings of the 28th Annual Computer Security Applications Conference
Information Sciences: an International Journal
Proceedings of the 9th ACM SIGPLAN/SIGOPS international conference on Virtual execution environments
A malicious behavior analysis based Cyber-I birth
Journal of Intelligent Manufacturing
Hi-index | 0.00 |
A rootkit is a collection of tools used by intruders to keep the legitimate users and administrators of a compromised machine unaware of their presence. Originally, rootkits mainly included modified versions of system auditing programs (e.g., ps or netstat on a Unix system). However, for operating systems that support loadable kernel modules (e.g., Linux and Solaris), a new type of rootkit has recently emerged. These rootkits are implemented as kernel modules, and they do not require modification of user-space binaries to conceal malicious activity. Instead, these rootkits operate within the kernel, modifying critical data structures such as the system call table or the list of currently-loaded kernel modules. This paper presents a technique that exploits binary analysis to ascertain, at load time, if a module's behavior resembles the behavior of a rootkit. Through this method, it is possible to provide additional protection against this type of malicious modification of the kernel. Our technique relies on an abstract model of module behavior that is not affected by small changes in the binary image of the module. Therefore, the technique is resistant to attempts to conceal the malicious nature of a kernel module.