Abstract


A rootkit is a tool used by an intruder to hide itself masking the fact
that a system has been compromised and to keep or re-obtain root level
accesses inside the system. Traditional rootkits mainly include modifed
versions of system auditing programs on a Linux system. However, new
types of rootkits implemented as kernel modules have recently emerged
when operating system supports loadable kernel modules. These rootkits do
not require modification of user-space binaries to hide malicious
activities. Instead,they are able to operate within the kernel, modifying
critical data structures such as the system call table or the list of
currently-loaded kernel modules.

First part of the talk introduces rootkit taxonomy, discusses behavior
specifications of kernel-level rootkits, presents state-of-the-art of rootkits
and methods for determining whether a linux system has been
infected by a kernel-level rootkit. Approaches are based on detection of
system call redirection, /proc and virtual file system hijack-ing by
through address comparisons of static normal memory
status with run-time status. Our goal is to detect and resist to attempts
to conceal the malicious nature of a kernel module. As a case study, we
choose adore and adore-ng as targets, chkrootkit and kern check as
detection tools. Finally, we discuss some limitations in kern check of
the latest version and make it possible to differentiate adore and adore-ng
that use different techniques.

Second part of the talk will summarize recently research on rootkits
based on kernel integrity monitors (e.g Virtual Machine Monitors,
integrity monitoring software on a PCI card etc), which escapes the
ongoing race between complex rootkit and the corresponding detection
tools.