Information Technology Reference
In-Depth Information
Figure 1. Evolution of rootkit attack techniques
detection tools allows such systems to stealth-
ily lie within the attackers realm for indefinite
periods of time. Recent studies have shown a
phenomenal increase in the number of malware
that use stealth techniques commonly employed by
rootkits. For example, a report by MacAfee Avert
Labs (MacAfee, 2006) observes a 600% increase
in the number of rootkits in the three year period
from 2004-2006. Indeed, this trend continues
even today; according to the forum antirootkit.
com (Antirootkit, n.d.), over 200 rootkits were
discovered in the first quarter of 2008 alone.
from manipulating user space binaries and shared
libraries to modifying control and non-control data
in the kernel. The latest rootkits install themselves
below the operating system.
Early rootkits operate by modifying system
binaries and shared libraries replacing them with
trojaned versions. The goal of these trojaned
binaries is to hide malicious objects or grant
privileged access to malicious processes. For
example, a trojaned
ps
binary will not list the
malicious processes running on the system. A
trojaned
login
process can give root privileges
to a malicious user. To detect trojaned system
binaries and shared libraries, tools such as Trip-
wire (Kim, 1994) and AIDE (Aide, n.d.) were
developed. These tools generate checksums of
authentic binaries when run on a clean system and
store them in a database. A user can examine the
system at later points in time, using these tools,
and compare the checksums of system binaries
with those previously stored in the database. A
mismatch in checksum indicates the presence of
the trojaned binary. Other detection tools used an
anti-virus like approach, where the presence of
a rootkit is detected using a database of known
signatures, such as a specific sequence of bytes
rootkit evolution
Rootkits attack techniques have matured over
the past few years, posing a realistic threat to
commodity operating systems. Comprehensive
detection of such advanced rootkits is still an open
research problem. The new attack techniques used
by rootkits have in turn triggered the development
of novel techniques to detect their presence. The
evolution of rootkits and techniques to detect them
continues to be an arms race between attackers
and defenders. Figure 1 shows the evolution in
rootkit attack techniques. Rootkits have evolved
Search WWH ::
Custom Search