Kernel rootkits can provide user level-malware programs with the additional capabilities of hiding their malicious activities by altering the legitimate kernel behavior of an operating system. While existing research has studied rootkit hooking behavior in an effort to help develop defense and remediation mechanisms, automated analysis of the actual malicious goals and capabilities of rootkits has not been adequately investigated. In this paper, we present an approach based on a combination of backward slicing and chopping techniques that enables automatic discovery of the system data manipulation behaviors of rootkits. We have built a system called K-Tracer that can dynamically analyze Windows kernel-level code and extract malicious behaviors from rootkits, including sensitive data access, modification and triggers. Our system overcomes several challenges of analyzing the Windows Kernel. We have performed experiments on several kernel malware samples and shown that our system can successfully extract all malicious data manipulation behaviors from them. We also discuss the limitations of our current system on newer rootkit strategies, and provide insight into how it can be extended to handle these emerging threats.
K-Tracer : a system for extracting kernel malware behavior / A. Lanzi, M.I. Sharif, W. Lee - In: NDSSReston : The Internet Society, 2009 Jun 18. - ISBN 9781891562280. - pp. 205-220 (( Intervento presentato al 16. convegno Symposium on Network and Distributed System Security : 8 through 11 February tenutosi a San Diego (CAL, USA) nel 2009.
K-Tracer : a system for extracting kernel malware behavior
A. LanziPrimo
;
2009
Abstract
Kernel rootkits can provide user level-malware programs with the additional capabilities of hiding their malicious activities by altering the legitimate kernel behavior of an operating system. While existing research has studied rootkit hooking behavior in an effort to help develop defense and remediation mechanisms, automated analysis of the actual malicious goals and capabilities of rootkits has not been adequately investigated. In this paper, we present an approach based on a combination of backward slicing and chopping techniques that enables automatic discovery of the system data manipulation behaviors of rootkits. We have built a system called K-Tracer that can dynamically analyze Windows kernel-level code and extract malicious behaviors from rootkits, including sensitive data access, modification and triggers. Our system overcomes several challenges of analyzing the Windows Kernel. We have performed experiments on several kernel malware samples and shown that our system can successfully extract all malicious data manipulation behaviors from them. We also discuss the limitations of our current system on newer rootkit strategies, and provide insight into how it can be extended to handle these emerging threats.
| File | Dimensione | Formato | |
|---|---|---|---|
|
lanzi.pdf
accesso riservato
Tipologia:
Publisher's version/PDF
Dimensione
1.16 MB
Formato
Adobe PDF
|
1.16 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
