Abstract Exploiting the Rootkit Paradox with Windows Memory Analysis

Abstract

Rootkits are malicious programs that silently subvert an operating system to hide an intruder's activities. Although there are a number of tools designed to detect rootkits, these programs are competing with the rootkit for system resources and allowing the rootkit to actively evade detection. By taking a memory image of the system, a forensic examiner can conduct a more thorough search for rootkits and even without discovering one directly, infer the presence of one. This paper explores how an examiner can create such a memory image and use the inherent properties of rootkits to find them in those memory images. Background Rootkits are programs designed to hide processes, files, and activity from the operating system and legitimate users of a computer. Normally used only by intruders, they subvert the operating system and prevent it from functioning normally. The rootkit can modify, delete, or insert data into any of the operating system's processes, and as a result, have complete control over what the operating system does or does not see. Intruders use rootkits to hide malicious activity such as opening back doors for unauthorized access, recording keystrokes, or launching attacks against other systems. By their very nature, rootkits are difficult to detect because they hide their own activities. For example, the Hacker Defender rootkit offers its owner the ability to hide itself, selected files, processes, and registry keys from the operating system and thus any user [HOLY]. Traditional malware detection techniques are not effective against rootkits as these programs cannot flag processes that they cannot see. The Rootkit Paradox All rootkits obey two basic principles: 1. They want to remain hidden. 2. They need to run. Taken together, these rules create a paradox. In order to remain hidden, the rootkit needs to minimize its footprint on the system. However, in order to run, the operating system, a deterministic process, has to be able to find and execute the rootkit. If a deterministic process like the operating system can find the rootkit, then an examiner www.ijde.or