refer_01
来源:互联网 发布:手机淘宝怎么看好评率 编辑:程序博客网 时间:2024/06/04 20:40
A Forced Sampled Execution Approach to
Kernel Rootkit Identification
Jeffrey Wilhelm and Tzi-cker Chiueh
Core Research Group
Symantec Research Laboratories
{jeffrey wilhelm,tzi-cker chiueh}@symantec.com
1. Altholz, N., Stevenson, L.: Rootkits for Dummies. John Wiley and Sons Ltd.,
Chichester (2006)
2. Avira: Avira rootkit detection, http://www.antirootkit.com/software/Avira-
Rootkit-Detection.htm
234
J. Wilhelm and T.-c. Chiueh
3. Butler, J.: Vice - catch the hookers! In: Conference Proceedings of Black Hat 2004
(July 2004)
4. Butler, J., Sparks, S.: Raising the bar for windows rootkit detection. Phrack
63 (July 2005)
5. Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-Aware
Malware Detection. In: Proceedings of IEEE Symposium on Security and Privacy
(Oakland), IEEE Computer Society Press, Los Alamitos (2005)
6. Cogswell, B., Russinovich, M.: Rootkitrevealer v1.71 (November 2006), http://
www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
7. Corporation, F.-S.: F-secure blacklight rootkit elimination technology,
http://securityticker.blogspot.com/2006/05/f-secure-backlight.html
8. Corporation, S.: Norton antivirus, http://www.symantec.com/home homeoffice/
products/overview.jsp?pcid=is&p vid=nav2006
9. Corporation, S.: Internet security threat report (September 2006),
http://www.symantec.com/enterprise/threatreport/index.jsp
10. Flake, H.: Automated reverse engineering. In: Proceedings of Black Hat 2004 (July
2004)
11. Fuzen: Fu rootkit, http://www.rootkit.com/project.php?id=12
12. Hoglund, G., Butler, J.: The companion website of the rootkit book,
http://www.rootkit.com
13. Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley
Professional, Reading (2005)
14. Karim, M., Walenstein, A., Lakhotia, A., Parida, L.: Malware phylogeny generation
using permutations of code. European Research Journal of Computer Virology
(2005)
15. Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based spy-
ware detection1. In: Proceedings of Usenix Security Symposium (2006)
16. Kruegel, C., Robertson, W., Vigna, G.: Detecting kernel-level rootkits through
binary analysis. In: Yew, P.-C., Xue, J. (eds.) ACSAC 2004. LNCS, vol. 3189,
Springer, Heidelberg (2004)
17. Labs, M.A.: Rootkit detective, http://vil.nai.com/vil/stinger/
18. Livingston, B.: Icesword author speaks out on rootkits, http://itmanagement.
earthweb.com/columns/executive tech/article.php/3512621
19. Micro, T.: Rootkitbuster, http://www.trendmicro.com/download/rbuster.asp
20. Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware
Analysis. In: Proceedings of 2007 IEEE Symposium on Security and Privacy, IEEE
Computer Society Press, Los Alamitos (2007)
21. Petroni, N., Fraser, T., Molina, J., Arbaugh, W.: Copilot - a coprocessor-based
kernel runtime integrity monitor. In: Proceedings of Usenix Security Symposium
(August 2004)
22. Research, P.: Rootkit cleaner, http://research.pandasoftware.com/blogs/
research/archive/2006/12/14/Rootkit-cleaner.aspx
23. Rutkowska, J.: Red pill... or how to detect vmm using (almost) one cpu instruction,
http://www.invisiblethings.org/papers/redpill.html
24. Rutkowska, J.: Thoughts about cross-view based rootkit detection (June 2005),
http://www.invisiblethings.org/papers/crossview_detection_thoughts.pdf
25. Rutkowska, J.: Rootkits detection on windows systems. In: Proceedings of ITUn-
derground Conference 2004 (October 2004)
26. Rutkowska, J.: System virginity verifier: Defining the roadmap for malware de-
tection on windows systems (September 2005),http://www.invisiblethings.
org/papers/hitb05 virginity verifier.ppt
A Forced Sampled Execution Approach to Kernel Rootkit Identification
235
27. Sabin, T.: Comparing binaries with graph isomorphisms, http://www.bindview.
com/Services/Razor/Papers/2004/comparing binaries.cfm
28. Sophos: Sophos anti-rootkit, http://www.sophos.com/products/free-tools/
sophos-anti-rootkit.html
29. Stamp, M., Wong, W.: Hunting for metamorphic engines. Journal in Computer
Virology 2(3) (December 2006)
30. Wang, Y., Beck, D., Roussev, R., Verbowski, C.: Detecting stealth software with
strider ghostbuster. In: Proc. Int. Conf. on Dependable Systems and Networks
(DSN-DCCS) (June 2005)
31. Wang, Y., Roussev, R., Verbowski, C., Johnson, A., Wu, M., Huang, Y., Kuo, S.:
Gatekeeper: Monitoring auto-start extensibility points (aseps) for spyware manage-
ment. In: Proceedings of Usenix Large Installation System Administration Confer-
ence (LISA) (2004)
32. Wikipedia: Naive bayes classifier, http://en.wikipedia.org/wiki/Naive Bayes
classifier
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Asynchronous Pseudo Physical Memory
Snapshot and Forensics on Paravirtualized
VMM Using Split Kernel Module
National Institute of Information and Communication Technology,
4-2-1 Nukui-Kitamachi, Koganei,
Tokyo 184-8795 Japan
ruo@nict.go.jp
http://www2.nict.go.jp/y/y212/index en.html
1. Hand, S., Warfield, A., Fraser, K., Kotsovinos, E., Magenheimer, D.: Are Virtual
Machine Monitors Microkernels Done Right? In: Proceedings of the Tenth Work-
shop on Hot Topics in Operating Systems (HotOS-X) (June 2005)
2. Goth, G.: Virtualization: Old Technology Offers Huge New Potential. IEEE Dis-
tributed Systems Online 8(2) (2007)
3. Karger, P.A., Zurko, M.E., Bonin, D.W., Mason, A.H., Kahn, C.E.: A Retrospective
on the VAX VMM Security Kernel. IEEE Trans. Software Eng. 17(11), 1147–1165
(1991)
4. Karger, P.A., Zurko, M.E., Bonin, D.W., Mason, A.H., Kahn, C.E.: A Retrospective
on the VAX VMM Security Kernel. IEEE Trans. Software Eng. 17(11), 1147–1165
(1991)
5. XEN virtual machine monitor,
http://www.cl.cam.ac.uk/Research/SRG/netos/xen/
6. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer,
R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: SOSP 2003. Pro-
ceedings of the 19th Symposium on Operating System Principles, Bolton Landing,
NY (October 2003)
7. KVM: Kernel-based virtualization driver, available at: http://kvm.qumranet.com/
8. Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture
for Intrusion Detection. In: NDSS 2003. Proceedings of Network and Distributed
System Security, pp. 191–206 (February 2003)
9. Quynh, N.A., Ando, R., Takefuji, Y.: Centralized Security Policy Support for Vir-
tual Machine. In: LISA 2007. Proceedings of USENIX, 20th Large Installation
System Administration Conference (December 2006)
10. Sailer, R., Jaeger, T., Valdez, E., Caceres, R., Perez, R., Berger, S., Griffin, J.L., van
Doorn, L.: Building a MAC-Based Security Architecture for the Xen Opensource
Hypervisor. In: Srikanthan, T., Xue, J., Chang, C.-H. (eds.) ACSAC 2005. LNCS,
vol. 3740, Springer, Heidelberg (2005)
11. Xu, M., Malyugin, V., Sheldon, J., Venkitachalam, G., Weissman, B.: ReTrace:
Collecting Execution Trace with Virtual Machine Deterministic Replay. In: MoBS
2007. Proceedings of Third Annual Workshop on Modeling, Benchmarking and
Simulation (June 2007)
12. Bhansali, S., Chen, W.-K., De Jong, S., Edwards, A., Drinic, M.: Framework for
Instruction-level Tracing and Analysis of Programs. In: VEE 2006. Proceedings of
Second International Conference on Virtual Execution Environments (June 2006)
13. Dunlap, G.W., King, S.T., Cinar, S., Basrai, M., Chen, P.M.: ReVirt: Enabling
intrusion analysis through virtual-machine logging and replay. In: OSDI 2002. Pro-
ceedings of the 2002 Symposium on Operating Systems Design and Implementation
(December 2002)
14. King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.:
SubVirt: Implementing malware with virtual machines. In: Proceedings of IEEE
Symp. on Security and Privacy (the Oakland Conference) (May 2006)
15. LIDS: Linux Intrusion Detection System, available at http://www.lids.org/
16. Uhlig, R., Neiger, G., Rodgers, D., Santoni, A.L., Martins, F.C.M., Anderson, A.V.,
Bennett, S.M., Kagi, A., Leung, F.H., Smith, L.: Intel Virtualization Technology.
IEEE Computer 38(5), 48–56 (2005)
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
A M E T H O D F O R D E T E C T I N G LINUX
KERNEL MODULE ROOTKITS
[1 M. Burdach, Detecting rootkits and kernel-level compromises in
Linux (www.securityfocus.com/infocus/1811), 2004.
[2 A. Busleiman, Detecting and understanding rootkits (www.net-
security. org/dl/articles/Detecting_and-Understanding_rootkits.txt)
2003.
[3 B. Carrier and E. Spafford, Automated digital evidence target def-
inition using outlier analysis and existing evidence, Proceedings of
the Fifth Annual Digital Forensics Research Workshop (www.dfrws
.org/2005/proceedings/index.html), 2005.
[4] S. Cesare, Runtime kernel patching (reactor-core.org/runtime-ker
nel-pat ching. html).
[5] A. Chuvakin, An overview of Unix rootkits, iALERT White Paper,
iDefense Labs (www.megasecurity.org/papers/Rootkits.pdf), 2003.
[6: D. Dittrich, Root kits and hiding files/directories/processes after
a break-in (stafF.washington.edu/dittrich/misc/faqs/rootkits.faq),
2002.
[7 Honeynet Project, Know your enemy: The motives and psychol-
ogy of the black hat community (www.linuxvoodoo.org/resources
/security/motives), 2000.
P. Hutto, Adding a syscall (www-static.cc.gatech.edu/classes/AY
2001/cs3210_fall/labs/syscalls.html), 2000.
[9; Integrity Computing, Network security: A primer on vulnerability,
prevention, detection and recovery (www.integritycomputing.com
/securityl.html).
116
ADVANCES IN DIGITAL FORENSICS III
[10] Komoku Inc. (www.komoku.com/technology.shtml).
[11] C. Kruegel, W. Robertson and G. Vigna, Detecting kernel-level
rootkits through binary analysis (www.cs.ucsb.edu/~wkr/pubhca
tions/acsac20041krmpresentation.pdf), 2004.
[12] J. Levine, B. Grizzard and H. Owen, Detecting and categorizing
kernel-level rootkits to aid future detection, IEEE Security & Pri-
vacy, pp. 24-32, January/February 2006.
[13] M. Murilo and K. Steding-Jessen, c h k r o o t k i t
.org), 2006.
(www.chkrootkit
[14] R. Naraine, Government-funded startup blasts rootkits (www.eweek
.com/article2/0,1759,1951941,00.asp), April 24, 2006.
[15] N. Petroni, T. Fraser, J. Molina and W. Arbaugh, Copilot - A co-
processor-based kernel runtime integrity monitor, Proceedings of the
Thirteenth USENIX Security Symposium, pp. 179-194, 2004.
[16] J. Rutkowski, Execution path analysis: Finding kernel based rootk-
its (doc.bughunter.net/rootkit-backdoor/execution-path.html).
[17] Samhain Labs, kern_check.c (la-samhna.de/library/kern_check.c).
[18] J. Scambray, S. McClure and G. Kurtz, Hacking Exposed: Net-
work Security Secrets and Solutions, McGraw-Hill/Osborne, Berke-
ley, California, 2001.
[19] SecurityFocus, s c p r i n t . c (downloads.securityfocus.com).
[20] E. Skoudis, Counter Hack: A Step-by-Step Guide to Computer At-
tacks and Effective Defenses, Prentice-Hall, Upper Saddle River,
New Jersey, 2001.
[21] W. Stallings, Network Security Essentials,
Saddle River, New Jersey, 2003.
Prentice-Hall, Upper
[22] R. Wichmann, Linux kernel rootkits (coewww.rutgers.edu/wwwl
/linuxclass2006//documents/kernel_rootkits/index.html), 2002.
[23] D. Zovi, Kernel rootkits (www.sans.org/reading_room/whitepapers
/threats/449.php), SANS Institute, 2001.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
ANALYSIS O F TOOLS F O R D E T E C T I N G
R O O T K I T S A N D H I D D E N PROCESSES
[1] E. Abreu, Hackers get novel defense; the computer did it (www.fo
rbes.com/markets/newswire/2003/10/27/rtrll24430.html), 2003.
[2] Aphex, ReadMe.txt (www.iamaphex.net), 2006.
[3] J. Butler and S. Sparks, Windows rootkits of 2005: Part two (www
.securityfocus.com/infocus/1851), 2005.
[4] J. Butler and S. Sparks, Windows rootkits of 2005: Part three (www
.securityfocus.com/infocus/1854), 2006.
[5] B. Carrier, File System Forensic Analysis^ Addison-Wesley, Boston,
Massachusetts, 2005.
[6] C. Claycomb, Analysis of Windows Rootkits, M.S. Thesis, Depart-
ment of Electrical and Computer Engineering, Air Force Institute
of Technology, Wright-Patterson Air Force Base, Ohio, 2006.
[7] CMS Consulting, Hidden rootkits in Windows (www.task.to/events
/presentations/TASK_Hidden_Rootkits_in_Windows.pdf), 2005.
[8] B. Cogswell and M. Russinovich, RootkitRevealer vl.71 (www.sys
internals.com/Utilities/RootkitRevealer.html).
104
ADVANCES IN DIGITAL FORENSICS III
[9] K. Dillard, What are user-mode vs. kernel-mode rootkits? (search
windowssecurity.techtarget.com/originalContent/0,289142,sid45_gc
il086469,00.html), 2005.
[10] E. Florio, When malware meets rootkits, Virus Bulletin^ 2005.
[11] Frisk Software International, F-Prot Antivirus Scanner (www.f-prot
.com/products/home_use/Unux).
[12] F-Secure Corporation, Blacklight (www.f-secure.com/blacklight/bl
acklight.html).
[13] Guidance Software, EnCase (v.4) (www.guidancesoftware.com).
[14] G. Hoglund and J. Butler, Rootkits: Subverting the Windows
Addison-Wesley, Boston, Massachusetts, 2005.
Kernel,
[15] Holy-Father, Hacker Defender (hxdef.org/download.php).
[16] T. Kojm, Clam Antivirus (www.clamav.net).
[17] J. Levine, B. Culver and H. Owen, A methodology for detecting
new binary rootkit exploits, Proceedings of the IEEE SouthEastCon,
2003.
[18] J. Levine, J. Grizzard, P. Hutto and H. Owen, A methodology to
characterize kernel level rootkit exploits that overwrite the system
call table. Proceedings of the IEEE SoutheastCon, pp. 25-31, 2004.
[19] M. McDougal, Windows Forensic Toolchest (WFT) (www.foolmoon
.net/security/wft), 2005.
[20] RKDetector.com, RKDetector v2.0 (www.rkdetector.com).
[21] RKDetector.com, RKDetector v2.0 Engine (www.rkdetector.com).
[22] Rootkit.com (www.rootkit.com/download.php).
[23] J. Rutkowska, Concepts for the Stealth Windows Rootkit (The
Chameleon Project) (invisiblethings.org/papers/chameleon_concep
ts.pdf), 2003.
[24] J. Rutkowski, Advanced Windows 2000 rootkit detection (hxdef.org
/knowhow/rutkowski.pdf), 2003.
[25] J. Rutkowski, Execution path analysis: Finding kernel rootkits (doc
.bughunter.net/rootkit-backdoor/execution-path.html), 2004.
[26] P. Silberman, FUTo (uninformed.org/?v=3&a-=7), 2006.
[27] Simple Nomad, Covering your tracks: Ncrypt and Ncovert, pre-
sented at Black Hat USA 2003 (www.blackhat.com/html/bh-media-
archives/bh-archives-2003.html), 2003.
[28] S. Sparks, Shadow Walker: Raising the bar for rootkit detec-
tion, presented at Black Hat USA 2005 (www.blackhat.com/pre
sentations/bh-jp-05/bh-jp-05-sparks-butler.pdf), 2005.
Todd, et al.
105
[29] Y. Wang, B. Vo, R. Roussev, C. Verbowski and A. Johnson, Strider
Ghostbuster: Why it's a bad idea for stealth software to hide files,
Microsoft Research Technical Report, MSR-TR-2004-71, Microsoft
Corporation, Redmond, Washington, 2004.
[30] XFocus.net, IceSword (vl.l2 and vl.18) (www.xfocus.net).
[31] XShadow, Vanquish vO.2.1 (www.rootkit.com/vault/xshadoe/read
me.txt), 2005.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Kernel Rootkits Implement
and Detection
Greg H, James B. Rootkits : Subverting the Windows Kernel
[M]. Boston: Addison Wesley, 2005.
Prasad D, Milind B, Sandeep P. Undocumented Windows
NT[M]. New York: M ~ T Books, 1999: 33-44.
Walter O. Programming the Windows Driver Model[M].
Washington: Microsoft Press, 2003: 77-92.
Peter S. The Art o f Computer Virus Research and Defense
IMp. Boston: Addison Wesley, 2005: 69-92.
Ed S, Lenny Z. Malware: Fighting Malicious CoderM~.
Indiana: Prentice Hall, 2003: 34-45.
David S, Mark R. Microsoft Windows Internals I-M].
Washington: Microsoft Press, 2004.. 88-102.
Rutkowska J. Detecting Windows Server Compromises with
Patchfinder 2[EB/OL]. 22005-01-201. http://www, invis-
ibleth ings. org/ pa p-ers / rootkits_detection_zvith patch J'ind-
er2. pd f.
Cogswell B, Russinovich M. RootkitRevealer ~ EB/OL~.
~2005-06-10]. http://zeunv, sysinternals, com/ntw2k/ free-
ware/ rootkitreveal, shtml.
James B, Jeff U, John P. Hidden Processes: The Implication
for Intrusion Detectionl-EB/OL]. E2005 01-20~. h t t p : / /
www. csee. urn&, e d u / ~ stephens/ SECURI TY/ 491M/ Hid-
denProcesses, ppt.
Sven B S. Undocumented Windows 2000 Secret[M~. Bos-
ton: Addison Wesley, 2001.. 143-152.
[]
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Rootkit detection from outside the Matrix
Arbaugh, W.A., Fraser, J.T., Molina, J., Petroni, N.L.: Copilot - a
Coprocessor-based Kernel Runtime Integrity Monitor. Available
at: http://www.usenix.org/events/sec04/tech/full_papers/petroni/
petroni_html/main.html, (2004)
2. Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: a tool for ana-
lyzing malware. In: proceedings of the 15th EICAR Conference,
Hamburg, Germany, April 29 - May 3, 2006. In Journal in com-
puter Virology, EICAR 2006 Special Issue, V. Broucek et al. Editor
(2006)
3. Bellard, F.: QEMU, a fast and portable dynamic translator. In: Pro-
ceedings of the 2005 USENIX Conference (2005)
4. BlackLight.: Available at: http://www.f-secure.com/blacklight/,
(2006)
5. BootKit.: Available at: http://www.rootkit.com/vault/vipinkumar/,
(2007)
6. Butler, J.: RAIDE: rootkit analysis identification elimination.
Available at: http://www.blackhat.com/presentations/bh-europe-
06/bh-eu-06-Silberman-Butler.pdf, (2006)
7. Butler, J., Hoglund, G.: Rootkits: subverting the Windows kernel.
Addison Wesley, ISBN 0-321-29431-9 (2006)
8. Butler, J., Hoglund, G.: VICE - Catch the hookers! (Plus new root-
kit techniques). Available at http://www.rootkit.com/, (2006)
9. Cogswell, C., Russinovich, M.: RootkitRevealer. Available at:
http://www.sysinternals.com/, (2006)
10. Elias: Detect if your program is running inside a Virtual Machine.
14 Mars 2005. Retrieved from: http://lgwm.org (Elias homepage),
(2005)
11. Ferrie, P.: Attacks on virtual machine emulator. In: proceedings of
AVAR 2006 Conference, Auckland, New Zealand, December 3–5,
(2006)
12. Filiol, E.: Introduction to computer viruses: from theory to
applications. IRIS International Series, Springer, Heidelberg
(2005)
13. Filiol, F.: Malware pattern scanning schemes secure against
black-box analysis. In: proceedings of the 15th EICAR
Conference, Hamburg, Germany, April 29 - May 3, 2006, and In:
Broucek, V., Turner, P. (eds.) Eicar 2006 Special Issue, J. Comput.
Virol. 2(1), pp. 35–50 (2006)
14. Filiol, E.: Techniques virales avancées, IRIS Series, Springer
Verlag France, January 2007. An English translation is pending
(due mid 2007)
123
15. Filiol, F., Josse, S.: A statistical model for undecidable viral detec-
tion. In: proceedings of the 16th EICAR Conference, Budapest,
Hungary, May 5 - 8, 2007. In: Broucek, V. (ed.) Eicar 2007 Spe-
cial Issue, J Comput Virol 3(2), (2007)
16. Fu.: Fu rootkit. Available at: https://www.rootkit.com/vault/
fuzen_op/, (2006)
17. GhostBuster.: the Strider GhostBuster Project. Avalaible at:
http://research.microsoft.com/rootkit/, (2006)
18. Heasman, J.: Implementing and detecting an ACPI BIOS Rootkit,
Black Hat Europe (2006)
19. Heasman, J.: Implementing and detecting a PCI rootkit, Available
at: http://www.ngssoftware.com/, (2006)
20. IceSword.: IceSword, Available at: http://xfocus.net/tools/
200509/1085.html, (2006)
21. IntelVT.: Intel Virtualization Technology, Available at: http://
www.intel.com/technology/virtualization/, (2007)
22. Josse, S.: Secure and advanced unpacking using computer emu-
lation. In: proceedings of the AVAR Conference, Auckland, New
Zealand, December 3–5, (2006)
23. KPP.: Kernel Patch Protection: Frequently asked questions,
Available at: http://www.microsoft.com/whdc/driver/kernel/
64bitpatch_FAQ.mspx, (2006)
24. KprocCheck.: SIG∧2 KprocCheck, Available at: http://www.
security.org.sg/, (2006)
25. Permeh, R., Soeder, D.: eEye BootRoot: A Basis for Bootstrap-
Based Windows Kernel Code, Available at: http://www.blackhat.
com/presentations/bh-usa-05/bh-us-05-soeder.pdf, (2006)
26. Russinovich, M.E., Solomon, D.A.: Inside Microsoft Windows
2000, 3rd edn. Microsoft Press, ISBN 0-7356-1021-5 (2000)
27. Russinovich, M.E., Solomon, D.A.: Microsoft windows internals,
4th edn: Microsoft Windows Server 2003, Windows XP, and Win-
dows 2000, (2004)
28. Rutkowska, J.: Red Pill... or how to detect VMM using
(almost) one CPU instruction. Retrieved from: http://www.
invisiblethings.org/papers/,(2004)
29. Rutkowska, J.: Detecting Windows Server Compromises
with Patchfinder 2. Retrieved from: http://www.invisiblethings.
org/papers/, (2004)
30. Rutkowska, J.: System virginity verifier, defining the roadmap for
malware detection on windows system. Hack in the box security
conference, September 28th -29th 2005, Kuala Lumpur, Malaysia
(2005)
31. Rutkowska, J.: Subverting VistaTM kernel for fun and profit.
SyScan’06 July 21st, 2006, Singapore & Black Hat Briefings 2006
August 3rd, 2006, Las Vegas (2006)
32. Szor, P.: The art of computer virus research and defense, Addison-
Wesley, ISBN 0-321-30454-3 (2005)
33. Z0mbie.: Z0mbie. VMWare has you. Retrieved from: http://vx.
netlux.org/, (2001)
34. Zeichick, A.: Coming soon to VMware, microsoft, and Xen: AMD
virtualization technology solves virtualization challenges, Avail-
able at: http://www;devx.com/amd/Article/30186/, (2005)
35. Zhou, M., Zuo, Z.: Some further theoretical results about computer
viruses, In: The computer journal, vol. 47, No 6 (2004)
36. Zovi, D.A.D.: Harware virtualization rootkits. Black Hat Federal
2006, Washington D.C., January 25th (2006)
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Virtualisierende R
Rootkits, die fast
perfekte Tarnung
King, Samuel; Subvirt: Implementing
Malware
with
virtual
machines.
http://www.eecs.umich.edu/~pmchen/
papers/king06.pdf, März 2006.
[2] Rutkowska, Joanna; Red Pill, http://
invisiblethings.org/papers/redpill.html
[3] Klein, Tobias; scoopydoo,
http://trapkit.de/research/vmm/scoopydoo
/index.html
[4] Klein, Tobias; jerry, http://trapkit.de/
research/vmm/jerry/index.html
[5] Laggner, Manuel; Erkennen virtualisie-
render Rootkits, Masterarbeit FH-OÖ
Campus Hagenberg, 2007
[6] Tanenbaum, Andrew S.; Moderne Be-
triebssysteme, Hanser-Verlag, 2003
[7] Radonic, A.; Meyer, F.; XEN33, Franzis
Profession Series, 2006
[8] Kern, C.; Paravirtualisierung und Virtua-
lisierungstechnologie, http://www.lrr.in
.tum.de/ ̃stodden/teaching/sem/virt/ss06/
doc/virt06-07-20060531-kern-sld%20
-%20Paravirtualisierung.pdf, 2006.
[9] Rosen, R.; Virtualization in Xen 3.0,
http://www.linuxjournal.com/article/8909,
2006.
[10] Vrtala, A.; Ihr Linux-Rechner wurde
assimiliert – ist Widerstand zwecklos?
Rootkits unter Linux, http://www.univie
.ac.at/comment/06-/061_19.html, 2006.
[11] Alsbih, A.; Rootkits für den Linux-Kernel
2.6, Linux Magazin, Ausgabe 06, Seite
56–61, 2006.
[12] Kato, K.; VMware Backdoor I/O Port,
http://chitchat.at.infoseek.co.jp/vmware/
backdoor.html, 2006.
[13] Liston, Tom und Skoudis, E.; On the
Cutting Edge: Thwarting Virtual Machine
Detection, http://handlers.sans.org/tliston/
ThwartingVMDetection_Liston_
Skoudis.pdf, 2006.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Windows Rootkits –
eine aktuelle Bedrohung
[BTA89] Black_Tie_Affair, Hiding Out Under
Unix, Phrack Magazine, Issue 25, File 6,
http://www.phrack.org/phrack/25/P25-06,
März 1989
[BuSp05a] Butler, J., Sparks, S., Windows
rootkits of 2005, part one, http://www
.securityfocus.com/infocus/1850,
No-
vember 2005
[BuSp05b] Butler, J., Sparks, S., Windows
rootkits of 2005, part two, http://www
.securityfocus.com/infocus/1851,
No-
vember 2005
[CERT94] CERT/CC, CERT Advisory CA-94-
01 Ongoing Network Monitoring Attacks,
http://www.cert.org/advisories/CA-1994-
01.html, Februar 1994
[CERT95] CERT/CC, CERT Advisory CA-95-
18 Widespread Attacks on Internet Sites,
DuD • Datenschutz und Datensicherheit 30 (2006) 8
http://www.cert.org/advisories/CA-1995-
18.html, Dezember 1995
[DFS03] Dolle, W., Fritzinger, T., Schmidt, J.,
Heimliche Hintertüren – Rootkits aufspü-
ren und beseitigen, Artikel auf Heise Se-
curity,
http://www.heise.de/security
/artikel/38057, Juni 2003
[FU04] fuzen_op, FU rootkit, Projekt Home
Page bei www.rootkit.com, http://www
.rootkit.com/project.php?id=12, Juli 2004
[HoBu05] Hoglund, G., Butler, J., Rootkits –
den Windows-Kernel unterwandern, Ad-
dison-Wesley-Verlag 2005, ISBN 3-8273-
2341-X
[Hog99] Hoglund, G., A *REAL* NT Rootkit,
patching the NT Kernel, Phrack Magazi-
ne, Issue 55, File 5, http://www.phrack
.org/phrack/55/P55-05, September 1999
[HX05] Holy_Father, Hacker defender 1.0.0
revisited, http://hxdef.org/, November
2005
[Kin06] King, S. T., et. al, SubVirt: Imple-
menting malware with virtual machines,
Proceedings of the 2006 IEEE Sympo-
sium on Security and Privacy,
http://www.eecs.umich.edu/Rio/papers
/king06.pdf, Mai 2006
[Küh03] Kühnhauser, W. E., Rootkits, DuD
4/2003
[McA06] McAfee AVERT Technical White
Papers, Rootkits, Part 1 of 3: The Growing
Threat, http://download.nai.com/products
/mcafee-avert/WhitePapers/AKapoor
_Rootkits1.pdf, April 2006
[Nor05] Norton, Q., Sony Numbers Add Up to
Trouble, Wired News, http://www.wired
.com/news/privacy/0,1848,69573,00.html
, November 2005
[OSR05] OSR Online, DeviceTree V2.18,
http://www.osronline.com/article.cfm
?article=97, Oktober 2005
[Rus05] Russinovich, M., Sony, Rootkits and
Digital Rights Management Gone Too Far,
http://www.sysinternals.com/blog/2005
/10/sony-rootkits-and-digital-rights.html,
Oktober 2005
[Rut03] Rutkowska, J., Concepts for the Stealth
Windows Rootkit (The Chameleon Pro-
ject), http://www.invisiblethings.org/papers
/chameleon_concepts.pdf,
September
2003
[SpBu05] Sparks, S.,Butler, J., Shadow Walker
– Raising The Bar For Windows Rootkit
Detection, Phrack Magazine, Issue 63,
File 8, http://www.phrack.org/phrack/63
/p63-0x08_Raising_The_Bar_For_
Windows_Rootkit_Detection.txt, August
2005
[Sym06] Symantec Security Advisory, Syman-
tec Norton Protected Recycle Bin Expo-
sure, http://securityresponse.symantec.com
/avcenter/security/Content/2006.01.10.html
, Januar 2006
475
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Windows Rootkits –
und ihre Erkennung
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
ANALYSIS O F TOOLS F O R D E T E C T I N G
R O O T K I T S A N D H I D D E N PROCESSES
[1] E. Abreu, Hackers get novel defense; the computer did it (www.fo
rbes.com/markets/newswire/2003/10/27/rtrll24430.html), 2003.
[2] Aphex, ReadMe.txt (www.iamaphex.net), 2006.
[3] J. Butler and S. Sparks, Windows rootkits of 2005: Part two (www
.securityfocus.com/infocus/1851), 2005.
[4] J. Butler and S. Sparks, Windows rootkits of 2005: Part three (www
.securityfocus.com/infocus/1854), 2006.
[5] B. Carrier, File System Forensic Analysis^ Addison-Wesley, Boston,
Massachusetts, 2005.
[6] C. Claycomb, Analysis of Windows Rootkits, M.S. Thesis, Depart-
ment of Electrical and Computer Engineering, Air Force Institute
of Technology, Wright-Patterson Air Force Base, Ohio, 2006.
[7] CMS Consulting, Hidden rootkits in Windows (www.task.to/events
/presentations/TASK_Hidden_Rootkits_in_Windows.pdf), 2005.
[8] B. Cogswell and M. Russinovich, RootkitRevealer vl.71 (www.sys
internals.com/Utilities/RootkitRevealer.html).
104
ADVANCES IN DIGITAL FORENSICS III
[9] K. Dillard, What are user-mode vs. kernel-mode rootkits? (search
windowssecurity.techtarget.com/originalContent/0,289142,sid45_gc
il086469,00.html), 2005.
[10] E. Florio, When malware meets rootkits, Virus Bulletin^ 2005.
[11] Frisk Software International, F-Prot Antivirus Scanner (www.f-prot
.com/products/home_use/Unux).
[12] F-Secure Corporation, Blacklight (www.f-secure.com/blacklight/bl
acklight.html).
[13] Guidance Software, EnCase (v.4) (www.guidancesoftware.com).
[14] G. Hoglund and J. Butler, Rootkits: Subverting the Windows
Addison-Wesley, Boston, Massachusetts, 2005.
Kernel,
[15] Holy-Father, Hacker Defender (hxdef.org/download.php).
[16] T. Kojm, Clam Antivirus (www.clamav.net).
[17] J. Levine, B. Culver and H. Owen, A methodology for detecting
new binary rootkit exploits, Proceedings of the IEEE SouthEastCon,
2003.
[18] J. Levine, J. Grizzard, P. Hutto and H. Owen, A methodology to
characterize kernel level rootkit exploits that overwrite the system
call table. Proceedings of the IEEE SoutheastCon, pp. 25-31, 2004.
[19] M. McDougal, Windows Forensic Toolchest (WFT) (www.foolmoon
.net/security/wft), 2005.
[20] RKDetector.com, RKDetector v2.0 (www.rkdetector.com).
[21] RKDetector.com, RKDetector v2.0 Engine (www.rkdetector.com).
[22] Rootkit.com (www.rootkit.com/download.php).
[23] J. Rutkowska, Concepts for the Stealth Windows Rootkit (The
Chameleon Project) (invisiblethings.org/papers/chameleon_concep
ts.pdf), 2003.
[24] J. Rutkowski, Advanced Windows 2000 rootkit detection (hxdef.org
/knowhow/rutkowski.pdf), 2003.
[25] J. Rutkowski, Execution path analysis: Finding kernel rootkits (doc
.bughunter.net/rootkit-backdoor/execution-path.html), 2004.
[26] P. Silberman, FUTo (uninformed.org/?v=3&a-=7), 2006.
[27] Simple Nomad, Covering your tracks: Ncrypt and Ncovert, pre-
sented at Black Hat USA 2003 (www.blackhat.com/html/bh-media-
archives/bh-archives-2003.html), 2003.
[28] S. Sparks, Shadow Walker: Raising the bar for rootkit detec-
tion, presented at Black Hat USA 2005 (www.blackhat.com/pre
sentations/bh-jp-05/bh-jp-05-sparks-butler.pdf), 2005.
Todd, et al.
105
[29] Y. Wang, B. Vo, R. Roussev, C. Verbowski and A. Johnson, Strider
Ghostbuster: Why it's a bad idea for stealth software to hide files,
Microsoft Research Technical Report, MSR-TR-2004-71, Microsoft
Corporation, Redmond, Washington, 2004.
[30] XFocus.net, IceSword (vl.l2 and vl.18) (www.xfocus.net).
[31] XShadow, Vanquish vO.2.1 (www.rootkit.com/vault/xshadoe/read
me.txt), 2005.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Rootkit detection from outside the Matrix
Arbaugh, W.A., Fraser, J.T., Molina, J., Petroni, N.L.: Copilot - a
Coprocessor-based Kernel Runtime Integrity Monitor. Available
at: http://www.usenix.org/events/sec04/tech/full_papers/petroni/
petroni_html/main.html, (2004)
2. Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: a tool for ana-
lyzing malware. In: proceedings of the 15th EICAR Conference,
Hamburg, Germany, April 29 - May 3, 2006. In Journal in com-
puter Virology, EICAR 2006 Special Issue, V. Broucek et al. Editor
(2006)
3. Bellard, F.: QEMU, a fast and portable dynamic translator. In: Pro-
ceedings of the 2005 USENIX Conference (2005)
4. BlackLight.: Available at: http://www.f-secure.com/blacklight/,
(2006)
5. BootKit.: Available at: http://www.rootkit.com/vault/vipinkumar/,
(2007)
6. Butler, J.: RAIDE: rootkit analysis identification elimination.
Available at: http://www.blackhat.com/presentations/bh-europe-
06/bh-eu-06-Silberman-Butler.pdf, (2006)
7. Butler, J., Hoglund, G.: Rootkits: subverting the Windows kernel.
Addison Wesley, ISBN 0-321-29431-9 (2006)
8. Butler, J., Hoglund, G.: VICE - Catch the hookers! (Plus new root-
kit techniques). Available at http://www.rootkit.com/, (2006)
9. Cogswell, C., Russinovich, M.: RootkitRevealer. Available at:
http://www.sysinternals.com/, (2006)
10. Elias: Detect if your program is running inside a Virtual Machine.
14 Mars 2005. Retrieved from: http://lgwm.org (Elias homepage),
(2005)
11. Ferrie, P.: Attacks on virtual machine emulator. In: proceedings of
AVAR 2006 Conference, Auckland, New Zealand, December 3–5,
(2006)
12. Filiol, E.: Introduction to computer viruses: from theory to
applications. IRIS International Series, Springer, Heidelberg
(2005)
13. Filiol, F.: Malware pattern scanning schemes secure against
black-box analysis. In: proceedings of the 15th EICAR
Conference, Hamburg, Germany, April 29 - May 3, 2006, and In:
Broucek, V., Turner, P. (eds.) Eicar 2006 Special Issue, J. Comput.
Virol. 2(1), pp. 35–50 (2006)
14. Filiol, E.: Techniques virales avancées, IRIS Series, Springer
Verlag France, January 2007. An English translation is pending
(due mid 2007)
123
15. Filiol, F., Josse, S.: A statistical model for undecidable viral detec-
tion. In: proceedings of the 16th EICAR Conference, Budapest,
Hungary, May 5 - 8, 2007. In: Broucek, V. (ed.) Eicar 2007 Spe-
cial Issue, J Comput Virol 3(2), (2007)
16. Fu.: Fu rootkit. Available at: https://www.rootkit.com/vault/
fuzen_op/, (2006)
17. GhostBuster.: the Strider GhostBuster Project. Avalaible at:
http://research.microsoft.com/rootkit/, (2006)
18. Heasman, J.: Implementing and detecting an ACPI BIOS Rootkit,
Black Hat Europe (2006)
19. Heasman, J.: Implementing and detecting a PCI rootkit, Available
at: http://www.ngssoftware.com/, (2006)
20. IceSword.: IceSword, Available at: http://xfocus.net/tools/
200509/1085.html, (2006)
21. IntelVT.: Intel Virtualization Technology, Available at: http://
www.intel.com/technology/virtualization/, (2007)
22. Josse, S.: Secure and advanced unpacking using computer emu-
lation. In: proceedings of the AVAR Conference, Auckland, New
Zealand, December 3–5, (2006)
23. KPP.: Kernel Patch Protection: Frequently asked questions,
Available at: http://www.microsoft.com/whdc/driver/kernel/
64bitpatch_FAQ.mspx, (2006)
24. KprocCheck.: SIG∧2 KprocCheck, Available at: http://www.
security.org.sg/, (2006)
25. Permeh, R., Soeder, D.: eEye BootRoot: A Basis for Bootstrap-
Based Windows Kernel Code, Available at: http://www.blackhat.
com/presentations/bh-usa-05/bh-us-05-soeder.pdf, (2006)
26. Russinovich, M.E., Solomon, D.A.: Inside Microsoft Windows
2000, 3rd edn. Microsoft Press, ISBN 0-7356-1021-5 (2000)
27. Russinovich, M.E., Solomon, D.A.: Microsoft windows internals,
4th edn: Microsoft Windows Server 2003, Windows XP, and Win-
dows 2000, (2004)
28. Rutkowska, J.: Red Pill... or how to detect VMM using
(almost) one CPU instruction. Retrieved from: http://www.
invisiblethings.org/papers/,(2004)
29. Rutkowska, J.: Detecting Windows Server Compromises
with Patchfinder 2. Retrieved from: http://www.invisiblethings.
org/papers/, (2004)
30. Rutkowska, J.: System virginity verifier, defining the roadmap for
malware detection on windows system. Hack in the box security
conference, September 28th -29th 2005, Kuala Lumpur, Malaysia
(2005)
31. Rutkowska, J.: Subverting VistaTM kernel for fun and profit.
SyScan’06 July 21st, 2006, Singapore & Black Hat Briefings 2006
August 3rd, 2006, Las Vegas (2006)
32. Szor, P.: The art of computer virus research and defense, Addison-
Wesley, ISBN 0-321-30454-3 (2005)
33. Z0mbie.: Z0mbie. VMWare has you. Retrieved from: http://vx.
netlux.org/, (2001)
34. Zeichick, A.: Coming soon to VMware, microsoft, and Xen: AMD
virtualization technology solves virtualization challenges, Avail-
able at: http://www;devx.com/amd/Article/30186/, (2005)
35. Zhou, M., Zuo, Z.: Some further theoretical results about computer
viruses, In: The computer journal, vol. 47, No 6 (2004)
36. Zovi, D.A.D.: Harware virtualization rootkits. Black Hat Federal
2006, Washington D.C., January 25th (2006)
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Kernel Rootkit Identification
Jeffrey Wilhelm and Tzi-cker Chiueh
Core Research Group
Symantec Research Laboratories
{jeffrey wilhelm,tzi-cker chiueh}@symantec.com
1. Altholz, N., Stevenson, L.: Rootkits for Dummies. John Wiley and Sons Ltd.,
Chichester (2006)
2. Avira: Avira rootkit detection, http://www.antirootkit.com/software/Avira-
Rootkit-Detection.htm
234
J. Wilhelm and T.-c. Chiueh
3. Butler, J.: Vice - catch the hookers! In: Conference Proceedings of Black Hat 2004
(July 2004)
4. Butler, J., Sparks, S.: Raising the bar for windows rootkit detection. Phrack
63 (July 2005)
5. Christodorescu, M., Jha, S., Seshia, S., Song, D., Bryant, R.: Semantics-Aware
Malware Detection. In: Proceedings of IEEE Symposium on Security and Privacy
(Oakland), IEEE Computer Society Press, Los Alamitos (2005)
6. Cogswell, B., Russinovich, M.: Rootkitrevealer v1.71 (November 2006), http://
www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
7. Corporation, F.-S.: F-secure blacklight rootkit elimination technology,
http://securityticker.blogspot.com/2006/05/f-secure-backlight.html
8. Corporation, S.: Norton antivirus, http://www.symantec.com/home homeoffice/
products/overview.jsp?pcid=is&p vid=nav2006
9. Corporation, S.: Internet security threat report (September 2006),
http://www.symantec.com/enterprise/threatreport/index.jsp
10. Flake, H.: Automated reverse engineering. In: Proceedings of Black Hat 2004 (July
2004)
11. Fuzen: Fu rootkit, http://www.rootkit.com/project.php?id=12
12. Hoglund, G., Butler, J.: The companion website of the rootkit book,
http://www.rootkit.com
13. Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley
Professional, Reading (2005)
14. Karim, M., Walenstein, A., Lakhotia, A., Parida, L.: Malware phylogeny generation
using permutations of code. European Research Journal of Computer Virology
(2005)
15. Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.: Behavior-based spy-
ware detection1. In: Proceedings of Usenix Security Symposium (2006)
16. Kruegel, C., Robertson, W., Vigna, G.: Detecting kernel-level rootkits through
binary analysis. In: Yew, P.-C., Xue, J. (eds.) ACSAC 2004. LNCS, vol. 3189,
Springer, Heidelberg (2004)
17. Labs, M.A.: Rootkit detective, http://vil.nai.com/vil/stinger/
18. Livingston, B.: Icesword author speaks out on rootkits, http://itmanagement.
earthweb.com/columns/executive tech/article.php/3512621
19. Micro, T.: Rootkitbuster, http://www.trendmicro.com/download/rbuster.asp
20. Moser, A., Kruegel, C., Kirda, E.: Exploring Multiple Execution Paths for Malware
Analysis. In: Proceedings of 2007 IEEE Symposium on Security and Privacy, IEEE
Computer Society Press, Los Alamitos (2007)
21. Petroni, N., Fraser, T., Molina, J., Arbaugh, W.: Copilot - a coprocessor-based
kernel runtime integrity monitor. In: Proceedings of Usenix Security Symposium
(August 2004)
22. Research, P.: Rootkit cleaner, http://research.pandasoftware.com/blogs/
research/archive/2006/12/14/Rootkit-cleaner.aspx
23. Rutkowska, J.: Red pill... or how to detect vmm using (almost) one cpu instruction,
http://www.invisiblethings.org/papers/redpill.html
24. Rutkowska, J.: Thoughts about cross-view based rootkit detection (June 2005),
http://www.invisiblethings.org/papers/crossview_detection_thoughts.pdf
25. Rutkowska, J.: Rootkits detection on windows systems. In: Proceedings of ITUn-
derground Conference 2004 (October 2004)
26. Rutkowska, J.: System virginity verifier: Defining the roadmap for malware de-
tection on windows systems (September 2005),http://www.invisiblethings.
org/papers/hitb05 virginity verifier.ppt
A Forced Sampled Execution Approach to Kernel Rootkit Identification
235
27. Sabin, T.: Comparing binaries with graph isomorphisms, http://www.bindview.
com/Services/Razor/Papers/2004/comparing binaries.cfm
28. Sophos: Sophos anti-rootkit, http://www.sophos.com/products/free-tools/
sophos-anti-rootkit.html
29. Stamp, M., Wong, W.: Hunting for metamorphic engines. Journal in Computer
Virology 2(3) (December 2006)
30. Wang, Y., Beck, D., Roussev, R., Verbowski, C.: Detecting stealth software with
strider ghostbuster. In: Proc. Int. Conf. on Dependable Systems and Networks
(DSN-DCCS) (June 2005)
31. Wang, Y., Roussev, R., Verbowski, C., Johnson, A., Wu, M., Huang, Y., Kuo, S.:
Gatekeeper: Monitoring auto-start extensibility points (aseps) for spyware manage-
ment. In: Proceedings of Usenix Large Installation System Administration Confer-
ence (LISA) (2004)
32. Wikipedia: Naive bayes classifier, http://en.wikipedia.org/wiki/Naive Bayes
classifier
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Asynchronous Pseudo Physical Memory
Snapshot and Forensics on Paravirtualized
VMM Using Split Kernel Module
National Institute of Information and Communication Technology,
4-2-1 Nukui-Kitamachi, Koganei,
Tokyo 184-8795 Japan
ruo@nict.go.jp
http://www2.nict.go.jp/y/y212/index en.html
1. Hand, S., Warfield, A., Fraser, K., Kotsovinos, E., Magenheimer, D.: Are Virtual
Machine Monitors Microkernels Done Right? In: Proceedings of the Tenth Work-
shop on Hot Topics in Operating Systems (HotOS-X) (June 2005)
2. Goth, G.: Virtualization: Old Technology Offers Huge New Potential. IEEE Dis-
tributed Systems Online 8(2) (2007)
3. Karger, P.A., Zurko, M.E., Bonin, D.W., Mason, A.H., Kahn, C.E.: A Retrospective
on the VAX VMM Security Kernel. IEEE Trans. Software Eng. 17(11), 1147–1165
(1991)
4. Karger, P.A., Zurko, M.E., Bonin, D.W., Mason, A.H., Kahn, C.E.: A Retrospective
on the VAX VMM Security Kernel. IEEE Trans. Software Eng. 17(11), 1147–1165
(1991)
5. XEN virtual machine monitor,
http://www.cl.cam.ac.uk/Research/SRG/netos/xen/
6. Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauer,
R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: SOSP 2003. Pro-
ceedings of the 19th Symposium on Operating System Principles, Bolton Landing,
NY (October 2003)
7. KVM: Kernel-based virtualization driver, available at: http://kvm.qumranet.com/
8. Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture
for Intrusion Detection. In: NDSS 2003. Proceedings of Network and Distributed
System Security, pp. 191–206 (February 2003)
9. Quynh, N.A., Ando, R., Takefuji, Y.: Centralized Security Policy Support for Vir-
tual Machine. In: LISA 2007. Proceedings of USENIX, 20th Large Installation
System Administration Conference (December 2006)
10. Sailer, R., Jaeger, T., Valdez, E., Caceres, R., Perez, R., Berger, S., Griffin, J.L., van
Doorn, L.: Building a MAC-Based Security Architecture for the Xen Opensource
Hypervisor. In: Srikanthan, T., Xue, J., Chang, C.-H. (eds.) ACSAC 2005. LNCS,
vol. 3740, Springer, Heidelberg (2005)
11. Xu, M., Malyugin, V., Sheldon, J., Venkitachalam, G., Weissman, B.: ReTrace:
Collecting Execution Trace with Virtual Machine Deterministic Replay. In: MoBS
2007. Proceedings of Third Annual Workshop on Modeling, Benchmarking and
Simulation (June 2007)
12. Bhansali, S., Chen, W.-K., De Jong, S., Edwards, A., Drinic, M.: Framework for
Instruction-level Tracing and Analysis of Programs. In: VEE 2006. Proceedings of
Second International Conference on Virtual Execution Environments (June 2006)
13. Dunlap, G.W., King, S.T., Cinar, S., Basrai, M., Chen, P.M.: ReVirt: Enabling
intrusion analysis through virtual-machine logging and replay. In: OSDI 2002. Pro-
ceedings of the 2002 Symposium on Operating Systems Design and Implementation
(December 2002)
14. King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J., Lorch, J.R.:
SubVirt: Implementing malware with virtual machines. In: Proceedings of IEEE
Symp. on Security and Privacy (the Oakland Conference) (May 2006)
15. LIDS: Linux Intrusion Detection System, available at http://www.lids.org/
16. Uhlig, R., Neiger, G., Rodgers, D., Santoni, A.L., Martins, F.C.M., Anderson, A.V.,
Bennett, S.M., Kagi, A., Leung, F.H., Smith, L.: Intel Virtualization Technology.
IEEE Computer 38(5), 48–56 (2005)
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
A M E T H O D F O R D E T E C T I N G LINUX
KERNEL MODULE ROOTKITS
[1 M. Burdach, Detecting rootkits and kernel-level compromises in
Linux (www.securityfocus.com/infocus/1811), 2004.
[2 A. Busleiman, Detecting and understanding rootkits (www.net-
security. org/dl/articles/Detecting_and-Understanding_rootkits.txt)
2003.
[3 B. Carrier and E. Spafford, Automated digital evidence target def-
inition using outlier analysis and existing evidence, Proceedings of
the Fifth Annual Digital Forensics Research Workshop (www.dfrws
.org/2005/proceedings/index.html), 2005.
[4] S. Cesare, Runtime kernel patching (reactor-core.org/runtime-ker
nel-pat ching. html).
[5] A. Chuvakin, An overview of Unix rootkits, iALERT White Paper,
iDefense Labs (www.megasecurity.org/papers/Rootkits.pdf), 2003.
[6: D. Dittrich, Root kits and hiding files/directories/processes after
a break-in (stafF.washington.edu/dittrich/misc/faqs/rootkits.faq),
2002.
[7 Honeynet Project, Know your enemy: The motives and psychol-
ogy of the black hat community (www.linuxvoodoo.org/resources
/security/motives), 2000.
P. Hutto, Adding a syscall (www-static.cc.gatech.edu/classes/AY
2001/cs3210_fall/labs/syscalls.html), 2000.
[9; Integrity Computing, Network security: A primer on vulnerability,
prevention, detection and recovery (www.integritycomputing.com
/securityl.html).
116
ADVANCES IN DIGITAL FORENSICS III
[10] Komoku Inc. (www.komoku.com/technology.shtml).
[11] C. Kruegel, W. Robertson and G. Vigna, Detecting kernel-level
rootkits through binary analysis (www.cs.ucsb.edu/~wkr/pubhca
tions/acsac20041krmpresentation.pdf), 2004.
[12] J. Levine, B. Grizzard and H. Owen, Detecting and categorizing
kernel-level rootkits to aid future detection, IEEE Security & Pri-
vacy, pp. 24-32, January/February 2006.
[13] M. Murilo and K. Steding-Jessen, c h k r o o t k i t
.org), 2006.
(www.chkrootkit
[14] R. Naraine, Government-funded startup blasts rootkits (www.eweek
.com/article2/0,1759,1951941,00.asp), April 24, 2006.
[15] N. Petroni, T. Fraser, J. Molina and W. Arbaugh, Copilot - A co-
processor-based kernel runtime integrity monitor, Proceedings of the
Thirteenth USENIX Security Symposium, pp. 179-194, 2004.
[16] J. Rutkowski, Execution path analysis: Finding kernel based rootk-
its (doc.bughunter.net/rootkit-backdoor/execution-path.html).
[17] Samhain Labs, kern_check.c (la-samhna.de/library/kern_check.c).
[18] J. Scambray, S. McClure and G. Kurtz, Hacking Exposed: Net-
work Security Secrets and Solutions, McGraw-Hill/Osborne, Berke-
ley, California, 2001.
[19] SecurityFocus, s c p r i n t . c (downloads.securityfocus.com).
[20] E. Skoudis, Counter Hack: A Step-by-Step Guide to Computer At-
tacks and Effective Defenses, Prentice-Hall, Upper Saddle River,
New Jersey, 2001.
[21] W. Stallings, Network Security Essentials,
Saddle River, New Jersey, 2003.
Prentice-Hall, Upper
[22] R. Wichmann, Linux kernel rootkits (coewww.rutgers.edu/wwwl
/linuxclass2006//documents/kernel_rootkits/index.html), 2002.
[23] D. Zovi, Kernel rootkits (www.sans.org/reading_room/whitepapers
/threats/449.php), SANS Institute, 2001.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
ANALYSIS O F TOOLS F O R D E T E C T I N G
R O O T K I T S A N D H I D D E N PROCESSES
[1] E. Abreu, Hackers get novel defense; the computer did it (www.fo
rbes.com/markets/newswire/2003/10/27/rtrll24430.html), 2003.
[2] Aphex, ReadMe.txt (www.iamaphex.net), 2006.
[3] J. Butler and S. Sparks, Windows rootkits of 2005: Part two (www
.securityfocus.com/infocus/1851), 2005.
[4] J. Butler and S. Sparks, Windows rootkits of 2005: Part three (www
.securityfocus.com/infocus/1854), 2006.
[5] B. Carrier, File System Forensic Analysis^ Addison-Wesley, Boston,
Massachusetts, 2005.
[6] C. Claycomb, Analysis of Windows Rootkits, M.S. Thesis, Depart-
ment of Electrical and Computer Engineering, Air Force Institute
of Technology, Wright-Patterson Air Force Base, Ohio, 2006.
[7] CMS Consulting, Hidden rootkits in Windows (www.task.to/events
/presentations/TASK_Hidden_Rootkits_in_Windows.pdf), 2005.
[8] B. Cogswell and M. Russinovich, RootkitRevealer vl.71 (www.sys
internals.com/Utilities/RootkitRevealer.html).
104
ADVANCES IN DIGITAL FORENSICS III
[9] K. Dillard, What are user-mode vs. kernel-mode rootkits? (search
windowssecurity.techtarget.com/originalContent/0,289142,sid45_gc
il086469,00.html), 2005.
[10] E. Florio, When malware meets rootkits, Virus Bulletin^ 2005.
[11] Frisk Software International, F-Prot Antivirus Scanner (www.f-prot
.com/products/home_use/Unux).
[12] F-Secure Corporation, Blacklight (www.f-secure.com/blacklight/bl
acklight.html).
[13] Guidance Software, EnCase (v.4) (www.guidancesoftware.com).
[14] G. Hoglund and J. Butler, Rootkits: Subverting the Windows
Addison-Wesley, Boston, Massachusetts, 2005.
Kernel,
[15] Holy-Father, Hacker Defender (hxdef.org/download.php).
[16] T. Kojm, Clam Antivirus (www.clamav.net).
[17] J. Levine, B. Culver and H. Owen, A methodology for detecting
new binary rootkit exploits, Proceedings of the IEEE SouthEastCon,
2003.
[18] J. Levine, J. Grizzard, P. Hutto and H. Owen, A methodology to
characterize kernel level rootkit exploits that overwrite the system
call table. Proceedings of the IEEE SoutheastCon, pp. 25-31, 2004.
[19] M. McDougal, Windows Forensic Toolchest (WFT) (www.foolmoon
.net/security/wft), 2005.
[20] RKDetector.com, RKDetector v2.0 (www.rkdetector.com).
[21] RKDetector.com, RKDetector v2.0 Engine (www.rkdetector.com).
[22] Rootkit.com (www.rootkit.com/download.php).
[23] J. Rutkowska, Concepts for the Stealth Windows Rootkit (The
Chameleon Project) (invisiblethings.org/papers/chameleon_concep
ts.pdf), 2003.
[24] J. Rutkowski, Advanced Windows 2000 rootkit detection (hxdef.org
/knowhow/rutkowski.pdf), 2003.
[25] J. Rutkowski, Execution path analysis: Finding kernel rootkits (doc
.bughunter.net/rootkit-backdoor/execution-path.html), 2004.
[26] P. Silberman, FUTo (uninformed.org/?v=3&a-=7), 2006.
[27] Simple Nomad, Covering your tracks: Ncrypt and Ncovert, pre-
sented at Black Hat USA 2003 (www.blackhat.com/html/bh-media-
archives/bh-archives-2003.html), 2003.
[28] S. Sparks, Shadow Walker: Raising the bar for rootkit detec-
tion, presented at Black Hat USA 2005 (www.blackhat.com/pre
sentations/bh-jp-05/bh-jp-05-sparks-butler.pdf), 2005.
Todd, et al.
105
[29] Y. Wang, B. Vo, R. Roussev, C. Verbowski and A. Johnson, Strider
Ghostbuster: Why it's a bad idea for stealth software to hide files,
Microsoft Research Technical Report, MSR-TR-2004-71, Microsoft
Corporation, Redmond, Washington, 2004.
[30] XFocus.net, IceSword (vl.l2 and vl.18) (www.xfocus.net).
[31] XShadow, Vanquish vO.2.1 (www.rootkit.com/vault/xshadoe/read
me.txt), 2005.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Kernel Rootkits Implement
and Detection
Greg H, James B. Rootkits : Subverting the Windows Kernel
[M]. Boston: Addison Wesley, 2005.
Prasad D, Milind B, Sandeep P. Undocumented Windows
NT[M]. New York: M ~ T Books, 1999: 33-44.
Walter O. Programming the Windows Driver Model[M].
Washington: Microsoft Press, 2003: 77-92.
Peter S. The Art o f Computer Virus Research and Defense
IMp. Boston: Addison Wesley, 2005: 69-92.
Ed S, Lenny Z. Malware: Fighting Malicious CoderM~.
Indiana: Prentice Hall, 2003: 34-45.
David S, Mark R. Microsoft Windows Internals I-M].
Washington: Microsoft Press, 2004.. 88-102.
Rutkowska J. Detecting Windows Server Compromises with
Patchfinder 2[EB/OL]. 22005-01-201. http://www, invis-
ibleth ings. org/ pa p-ers / rootkits_detection_zvith patch J'ind-
er2. pd f.
Cogswell B, Russinovich M. RootkitRevealer ~ EB/OL~.
~2005-06-10]. http://zeunv, sysinternals, com/ntw2k/ free-
ware/ rootkitreveal, shtml.
James B, Jeff U, John P. Hidden Processes: The Implication
for Intrusion Detectionl-EB/OL]. E2005 01-20~. h t t p : / /
www. csee. urn&, e d u / ~ stephens/ SECURI TY/ 491M/ Hid-
denProcesses, ppt.
Sven B S. Undocumented Windows 2000 Secret[M~. Bos-
ton: Addison Wesley, 2001.. 143-152.
[]
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Rootkit detection from outside the Matrix
Arbaugh, W.A., Fraser, J.T., Molina, J., Petroni, N.L.: Copilot - a
Coprocessor-based Kernel Runtime Integrity Monitor. Available
at: http://www.usenix.org/events/sec04/tech/full_papers/petroni/
petroni_html/main.html, (2004)
2. Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: a tool for ana-
lyzing malware. In: proceedings of the 15th EICAR Conference,
Hamburg, Germany, April 29 - May 3, 2006. In Journal in com-
puter Virology, EICAR 2006 Special Issue, V. Broucek et al. Editor
(2006)
3. Bellard, F.: QEMU, a fast and portable dynamic translator. In: Pro-
ceedings of the 2005 USENIX Conference (2005)
4. BlackLight.: Available at: http://www.f-secure.com/blacklight/,
(2006)
5. BootKit.: Available at: http://www.rootkit.com/vault/vipinkumar/,
(2007)
6. Butler, J.: RAIDE: rootkit analysis identification elimination.
Available at: http://www.blackhat.com/presentations/bh-europe-
06/bh-eu-06-Silberman-Butler.pdf, (2006)
7. Butler, J., Hoglund, G.: Rootkits: subverting the Windows kernel.
Addison Wesley, ISBN 0-321-29431-9 (2006)
8. Butler, J., Hoglund, G.: VICE - Catch the hookers! (Plus new root-
kit techniques). Available at http://www.rootkit.com/, (2006)
9. Cogswell, C., Russinovich, M.: RootkitRevealer. Available at:
http://www.sysinternals.com/, (2006)
10. Elias: Detect if your program is running inside a Virtual Machine.
14 Mars 2005. Retrieved from: http://lgwm.org (Elias homepage),
(2005)
11. Ferrie, P.: Attacks on virtual machine emulator. In: proceedings of
AVAR 2006 Conference, Auckland, New Zealand, December 3–5,
(2006)
12. Filiol, E.: Introduction to computer viruses: from theory to
applications. IRIS International Series, Springer, Heidelberg
(2005)
13. Filiol, F.: Malware pattern scanning schemes secure against
black-box analysis. In: proceedings of the 15th EICAR
Conference, Hamburg, Germany, April 29 - May 3, 2006, and In:
Broucek, V., Turner, P. (eds.) Eicar 2006 Special Issue, J. Comput.
Virol. 2(1), pp. 35–50 (2006)
14. Filiol, E.: Techniques virales avancées, IRIS Series, Springer
Verlag France, January 2007. An English translation is pending
(due mid 2007)
123
15. Filiol, F., Josse, S.: A statistical model for undecidable viral detec-
tion. In: proceedings of the 16th EICAR Conference, Budapest,
Hungary, May 5 - 8, 2007. In: Broucek, V. (ed.) Eicar 2007 Spe-
cial Issue, J Comput Virol 3(2), (2007)
16. Fu.: Fu rootkit. Available at: https://www.rootkit.com/vault/
fuzen_op/, (2006)
17. GhostBuster.: the Strider GhostBuster Project. Avalaible at:
http://research.microsoft.com/rootkit/, (2006)
18. Heasman, J.: Implementing and detecting an ACPI BIOS Rootkit,
Black Hat Europe (2006)
19. Heasman, J.: Implementing and detecting a PCI rootkit, Available
at: http://www.ngssoftware.com/, (2006)
20. IceSword.: IceSword, Available at: http://xfocus.net/tools/
200509/1085.html, (2006)
21. IntelVT.: Intel Virtualization Technology, Available at: http://
www.intel.com/technology/virtualization/, (2007)
22. Josse, S.: Secure and advanced unpacking using computer emu-
lation. In: proceedings of the AVAR Conference, Auckland, New
Zealand, December 3–5, (2006)
23. KPP.: Kernel Patch Protection: Frequently asked questions,
Available at: http://www.microsoft.com/whdc/driver/kernel/
64bitpatch_FAQ.mspx, (2006)
24. KprocCheck.: SIG∧2 KprocCheck, Available at: http://www.
security.org.sg/, (2006)
25. Permeh, R., Soeder, D.: eEye BootRoot: A Basis for Bootstrap-
Based Windows Kernel Code, Available at: http://www.blackhat.
com/presentations/bh-usa-05/bh-us-05-soeder.pdf, (2006)
26. Russinovich, M.E., Solomon, D.A.: Inside Microsoft Windows
2000, 3rd edn. Microsoft Press, ISBN 0-7356-1021-5 (2000)
27. Russinovich, M.E., Solomon, D.A.: Microsoft windows internals,
4th edn: Microsoft Windows Server 2003, Windows XP, and Win-
dows 2000, (2004)
28. Rutkowska, J.: Red Pill... or how to detect VMM using
(almost) one CPU instruction. Retrieved from: http://www.
invisiblethings.org/papers/,(2004)
29. Rutkowska, J.: Detecting Windows Server Compromises
with Patchfinder 2. Retrieved from: http://www.invisiblethings.
org/papers/, (2004)
30. Rutkowska, J.: System virginity verifier, defining the roadmap for
malware detection on windows system. Hack in the box security
conference, September 28th -29th 2005, Kuala Lumpur, Malaysia
(2005)
31. Rutkowska, J.: Subverting VistaTM kernel for fun and profit.
SyScan’06 July 21st, 2006, Singapore & Black Hat Briefings 2006
August 3rd, 2006, Las Vegas (2006)
32. Szor, P.: The art of computer virus research and defense, Addison-
Wesley, ISBN 0-321-30454-3 (2005)
33. Z0mbie.: Z0mbie. VMWare has you. Retrieved from: http://vx.
netlux.org/, (2001)
34. Zeichick, A.: Coming soon to VMware, microsoft, and Xen: AMD
virtualization technology solves virtualization challenges, Avail-
able at: http://www;devx.com/amd/Article/30186/, (2005)
35. Zhou, M., Zuo, Z.: Some further theoretical results about computer
viruses, In: The computer journal, vol. 47, No 6 (2004)
36. Zovi, D.A.D.: Harware virtualization rootkits. Black Hat Federal
2006, Washington D.C., January 25th (2006)
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Virtualisierende R
Rootkits, die fast
perfekte Tarnung
King, Samuel; Subvirt: Implementing
Malware
with
virtual
machines.
http://www.eecs.umich.edu/~pmchen/
papers/king06.pdf, März 2006.
[2] Rutkowska, Joanna; Red Pill, http://
invisiblethings.org/papers/redpill.html
[3] Klein, Tobias; scoopydoo,
http://trapkit.de/research/vmm/scoopydoo
/index.html
[4] Klein, Tobias; jerry, http://trapkit.de/
research/vmm/jerry/index.html
[5] Laggner, Manuel; Erkennen virtualisie-
render Rootkits, Masterarbeit FH-OÖ
Campus Hagenberg, 2007
[6] Tanenbaum, Andrew S.; Moderne Be-
triebssysteme, Hanser-Verlag, 2003
[7] Radonic, A.; Meyer, F.; XEN33, Franzis
Profession Series, 2006
[8] Kern, C.; Paravirtualisierung und Virtua-
lisierungstechnologie, http://www.lrr.in
.tum.de/ ̃stodden/teaching/sem/virt/ss06/
doc/virt06-07-20060531-kern-sld%20
-%20Paravirtualisierung.pdf, 2006.
[9] Rosen, R.; Virtualization in Xen 3.0,
http://www.linuxjournal.com/article/8909,
2006.
[10] Vrtala, A.; Ihr Linux-Rechner wurde
assimiliert – ist Widerstand zwecklos?
Rootkits unter Linux, http://www.univie
.ac.at/comment/06-/061_19.html, 2006.
[11] Alsbih, A.; Rootkits für den Linux-Kernel
2.6, Linux Magazin, Ausgabe 06, Seite
56–61, 2006.
[12] Kato, K.; VMware Backdoor I/O Port,
http://chitchat.at.infoseek.co.jp/vmware/
backdoor.html, 2006.
[13] Liston, Tom und Skoudis, E.; On the
Cutting Edge: Thwarting Virtual Machine
Detection, http://handlers.sans.org/tliston/
ThwartingVMDetection_Liston_
Skoudis.pdf, 2006.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Windows Rootkits –
eine aktuelle Bedrohung
[BTA89] Black_Tie_Affair, Hiding Out Under
Unix, Phrack Magazine, Issue 25, File 6,
http://www.phrack.org/phrack/25/P25-06,
März 1989
[BuSp05a] Butler, J., Sparks, S., Windows
rootkits of 2005, part one, http://www
.securityfocus.com/infocus/1850,
No-
vember 2005
[BuSp05b] Butler, J., Sparks, S., Windows
rootkits of 2005, part two, http://www
.securityfocus.com/infocus/1851,
No-
vember 2005
[CERT94] CERT/CC, CERT Advisory CA-94-
01 Ongoing Network Monitoring Attacks,
http://www.cert.org/advisories/CA-1994-
01.html, Februar 1994
[CERT95] CERT/CC, CERT Advisory CA-95-
18 Widespread Attacks on Internet Sites,
DuD • Datenschutz und Datensicherheit 30 (2006) 8
http://www.cert.org/advisories/CA-1995-
18.html, Dezember 1995
[DFS03] Dolle, W., Fritzinger, T., Schmidt, J.,
Heimliche Hintertüren – Rootkits aufspü-
ren und beseitigen, Artikel auf Heise Se-
curity,
http://www.heise.de/security
/artikel/38057, Juni 2003
[FU04] fuzen_op, FU rootkit, Projekt Home
Page bei www.rootkit.com, http://www
.rootkit.com/project.php?id=12, Juli 2004
[HoBu05] Hoglund, G., Butler, J., Rootkits –
den Windows-Kernel unterwandern, Ad-
dison-Wesley-Verlag 2005, ISBN 3-8273-
2341-X
[Hog99] Hoglund, G., A *REAL* NT Rootkit,
patching the NT Kernel, Phrack Magazi-
ne, Issue 55, File 5, http://www.phrack
.org/phrack/55/P55-05, September 1999
[HX05] Holy_Father, Hacker defender 1.0.0
revisited, http://hxdef.org/, November
2005
[Kin06] King, S. T., et. al, SubVirt: Imple-
menting malware with virtual machines,
Proceedings of the 2006 IEEE Sympo-
sium on Security and Privacy,
http://www.eecs.umich.edu/Rio/papers
/king06.pdf, Mai 2006
[Küh03] Kühnhauser, W. E., Rootkits, DuD
4/2003
[McA06] McAfee AVERT Technical White
Papers, Rootkits, Part 1 of 3: The Growing
Threat, http://download.nai.com/products
/mcafee-avert/WhitePapers/AKapoor
_Rootkits1.pdf, April 2006
[Nor05] Norton, Q., Sony Numbers Add Up to
Trouble, Wired News, http://www.wired
.com/news/privacy/0,1848,69573,00.html
, November 2005
[OSR05] OSR Online, DeviceTree V2.18,
http://www.osronline.com/article.cfm
?article=97, Oktober 2005
[Rus05] Russinovich, M., Sony, Rootkits and
Digital Rights Management Gone Too Far,
http://www.sysinternals.com/blog/2005
/10/sony-rootkits-and-digital-rights.html,
Oktober 2005
[Rut03] Rutkowska, J., Concepts for the Stealth
Windows Rootkit (The Chameleon Pro-
ject), http://www.invisiblethings.org/papers
/chameleon_concepts.pdf,
September
2003
[SpBu05] Sparks, S.,Butler, J., Shadow Walker
– Raising The Bar For Windows Rootkit
Detection, Phrack Magazine, Issue 63,
File 8, http://www.phrack.org/phrack/63
/p63-0x08_Raising_The_Bar_For_
Windows_Rootkit_Detection.txt, August
2005
[Sym06] Symantec Security Advisory, Syman-
tec Norton Protected Recycle Bin Expo-
sure, http://securityresponse.symantec.com
/avcenter/security/Content/2006.01.10.html
, Januar 2006
475
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Windows Rootkits –
und ihre Erkennung
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
ANALYSIS O F TOOLS F O R D E T E C T I N G
R O O T K I T S A N D H I D D E N PROCESSES
[1] E. Abreu, Hackers get novel defense; the computer did it (www.fo
rbes.com/markets/newswire/2003/10/27/rtrll24430.html), 2003.
[2] Aphex, ReadMe.txt (www.iamaphex.net), 2006.
[3] J. Butler and S. Sparks, Windows rootkits of 2005: Part two (www
.securityfocus.com/infocus/1851), 2005.
[4] J. Butler and S. Sparks, Windows rootkits of 2005: Part three (www
.securityfocus.com/infocus/1854), 2006.
[5] B. Carrier, File System Forensic Analysis^ Addison-Wesley, Boston,
Massachusetts, 2005.
[6] C. Claycomb, Analysis of Windows Rootkits, M.S. Thesis, Depart-
ment of Electrical and Computer Engineering, Air Force Institute
of Technology, Wright-Patterson Air Force Base, Ohio, 2006.
[7] CMS Consulting, Hidden rootkits in Windows (www.task.to/events
/presentations/TASK_Hidden_Rootkits_in_Windows.pdf), 2005.
[8] B. Cogswell and M. Russinovich, RootkitRevealer vl.71 (www.sys
internals.com/Utilities/RootkitRevealer.html).
104
ADVANCES IN DIGITAL FORENSICS III
[9] K. Dillard, What are user-mode vs. kernel-mode rootkits? (search
windowssecurity.techtarget.com/originalContent/0,289142,sid45_gc
il086469,00.html), 2005.
[10] E. Florio, When malware meets rootkits, Virus Bulletin^ 2005.
[11] Frisk Software International, F-Prot Antivirus Scanner (www.f-prot
.com/products/home_use/Unux).
[12] F-Secure Corporation, Blacklight (www.f-secure.com/blacklight/bl
acklight.html).
[13] Guidance Software, EnCase (v.4) (www.guidancesoftware.com).
[14] G. Hoglund and J. Butler, Rootkits: Subverting the Windows
Addison-Wesley, Boston, Massachusetts, 2005.
Kernel,
[15] Holy-Father, Hacker Defender (hxdef.org/download.php).
[16] T. Kojm, Clam Antivirus (www.clamav.net).
[17] J. Levine, B. Culver and H. Owen, A methodology for detecting
new binary rootkit exploits, Proceedings of the IEEE SouthEastCon,
2003.
[18] J. Levine, J. Grizzard, P. Hutto and H. Owen, A methodology to
characterize kernel level rootkit exploits that overwrite the system
call table. Proceedings of the IEEE SoutheastCon, pp. 25-31, 2004.
[19] M. McDougal, Windows Forensic Toolchest (WFT) (www.foolmoon
.net/security/wft), 2005.
[20] RKDetector.com, RKDetector v2.0 (www.rkdetector.com).
[21] RKDetector.com, RKDetector v2.0 Engine (www.rkdetector.com).
[22] Rootkit.com (www.rootkit.com/download.php).
[23] J. Rutkowska, Concepts for the Stealth Windows Rootkit (The
Chameleon Project) (invisiblethings.org/papers/chameleon_concep
ts.pdf), 2003.
[24] J. Rutkowski, Advanced Windows 2000 rootkit detection (hxdef.org
/knowhow/rutkowski.pdf), 2003.
[25] J. Rutkowski, Execution path analysis: Finding kernel rootkits (doc
.bughunter.net/rootkit-backdoor/execution-path.html), 2004.
[26] P. Silberman, FUTo (uninformed.org/?v=3&a-=7), 2006.
[27] Simple Nomad, Covering your tracks: Ncrypt and Ncovert, pre-
sented at Black Hat USA 2003 (www.blackhat.com/html/bh-media-
archives/bh-archives-2003.html), 2003.
[28] S. Sparks, Shadow Walker: Raising the bar for rootkit detec-
tion, presented at Black Hat USA 2005 (www.blackhat.com/pre
sentations/bh-jp-05/bh-jp-05-sparks-butler.pdf), 2005.
Todd, et al.
105
[29] Y. Wang, B. Vo, R. Roussev, C. Verbowski and A. Johnson, Strider
Ghostbuster: Why it's a bad idea for stealth software to hide files,
Microsoft Research Technical Report, MSR-TR-2004-71, Microsoft
Corporation, Redmond, Washington, 2004.
[30] XFocus.net, IceSword (vl.l2 and vl.18) (www.xfocus.net).
[31] XShadow, Vanquish vO.2.1 (www.rootkit.com/vault/xshadoe/read
me.txt), 2005.
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Rootkit detection from outside the Matrix
Arbaugh, W.A., Fraser, J.T., Molina, J., Petroni, N.L.: Copilot - a
Coprocessor-based Kernel Runtime Integrity Monitor. Available
at: http://www.usenix.org/events/sec04/tech/full_papers/petroni/
petroni_html/main.html, (2004)
2. Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: a tool for ana-
lyzing malware. In: proceedings of the 15th EICAR Conference,
Hamburg, Germany, April 29 - May 3, 2006. In Journal in com-
puter Virology, EICAR 2006 Special Issue, V. Broucek et al. Editor
(2006)
3. Bellard, F.: QEMU, a fast and portable dynamic translator. In: Pro-
ceedings of the 2005 USENIX Conference (2005)
4. BlackLight.: Available at: http://www.f-secure.com/blacklight/,
(2006)
5. BootKit.: Available at: http://www.rootkit.com/vault/vipinkumar/,
(2007)
6. Butler, J.: RAIDE: rootkit analysis identification elimination.
Available at: http://www.blackhat.com/presentations/bh-europe-
06/bh-eu-06-Silberman-Butler.pdf, (2006)
7. Butler, J., Hoglund, G.: Rootkits: subverting the Windows kernel.
Addison Wesley, ISBN 0-321-29431-9 (2006)
8. Butler, J., Hoglund, G.: VICE - Catch the hookers! (Plus new root-
kit techniques). Available at http://www.rootkit.com/, (2006)
9. Cogswell, C., Russinovich, M.: RootkitRevealer. Available at:
http://www.sysinternals.com/, (2006)
10. Elias: Detect if your program is running inside a Virtual Machine.
14 Mars 2005. Retrieved from: http://lgwm.org (Elias homepage),
(2005)
11. Ferrie, P.: Attacks on virtual machine emulator. In: proceedings of
AVAR 2006 Conference, Auckland, New Zealand, December 3–5,
(2006)
12. Filiol, E.: Introduction to computer viruses: from theory to
applications. IRIS International Series, Springer, Heidelberg
(2005)
13. Filiol, F.: Malware pattern scanning schemes secure against
black-box analysis. In: proceedings of the 15th EICAR
Conference, Hamburg, Germany, April 29 - May 3, 2006, and In:
Broucek, V., Turner, P. (eds.) Eicar 2006 Special Issue, J. Comput.
Virol. 2(1), pp. 35–50 (2006)
14. Filiol, E.: Techniques virales avancées, IRIS Series, Springer
Verlag France, January 2007. An English translation is pending
(due mid 2007)
123
15. Filiol, F., Josse, S.: A statistical model for undecidable viral detec-
tion. In: proceedings of the 16th EICAR Conference, Budapest,
Hungary, May 5 - 8, 2007. In: Broucek, V. (ed.) Eicar 2007 Spe-
cial Issue, J Comput Virol 3(2), (2007)
16. Fu.: Fu rootkit. Available at: https://www.rootkit.com/vault/
fuzen_op/, (2006)
17. GhostBuster.: the Strider GhostBuster Project. Avalaible at:
http://research.microsoft.com/rootkit/, (2006)
18. Heasman, J.: Implementing and detecting an ACPI BIOS Rootkit,
Black Hat Europe (2006)
19. Heasman, J.: Implementing and detecting a PCI rootkit, Available
at: http://www.ngssoftware.com/, (2006)
20. IceSword.: IceSword, Available at: http://xfocus.net/tools/
200509/1085.html, (2006)
21. IntelVT.: Intel Virtualization Technology, Available at: http://
www.intel.com/technology/virtualization/, (2007)
22. Josse, S.: Secure and advanced unpacking using computer emu-
lation. In: proceedings of the AVAR Conference, Auckland, New
Zealand, December 3–5, (2006)
23. KPP.: Kernel Patch Protection: Frequently asked questions,
Available at: http://www.microsoft.com/whdc/driver/kernel/
64bitpatch_FAQ.mspx, (2006)
24. KprocCheck.: SIG∧2 KprocCheck, Available at: http://www.
security.org.sg/, (2006)
25. Permeh, R., Soeder, D.: eEye BootRoot: A Basis for Bootstrap-
Based Windows Kernel Code, Available at: http://www.blackhat.
com/presentations/bh-usa-05/bh-us-05-soeder.pdf, (2006)
26. Russinovich, M.E., Solomon, D.A.: Inside Microsoft Windows
2000, 3rd edn. Microsoft Press, ISBN 0-7356-1021-5 (2000)
27. Russinovich, M.E., Solomon, D.A.: Microsoft windows internals,
4th edn: Microsoft Windows Server 2003, Windows XP, and Win-
dows 2000, (2004)
28. Rutkowska, J.: Red Pill... or how to detect VMM using
(almost) one CPU instruction. Retrieved from: http://www.
invisiblethings.org/papers/,(2004)
29. Rutkowska, J.: Detecting Windows Server Compromises
with Patchfinder 2. Retrieved from: http://www.invisiblethings.
org/papers/, (2004)
30. Rutkowska, J.: System virginity verifier, defining the roadmap for
malware detection on windows system. Hack in the box security
conference, September 28th -29th 2005, Kuala Lumpur, Malaysia
(2005)
31. Rutkowska, J.: Subverting VistaTM kernel for fun and profit.
SyScan’06 July 21st, 2006, Singapore & Black Hat Briefings 2006
August 3rd, 2006, Las Vegas (2006)
32. Szor, P.: The art of computer virus research and defense, Addison-
Wesley, ISBN 0-321-30454-3 (2005)
33. Z0mbie.: Z0mbie. VMWare has you. Retrieved from: http://vx.
netlux.org/, (2001)
34. Zeichick, A.: Coming soon to VMware, microsoft, and Xen: AMD
virtualization technology solves virtualization challenges, Avail-
able at: http://www;devx.com/amd/Article/30186/, (2005)
35. Zhou, M., Zuo, Z.: Some further theoretical results about computer
viruses, In: The computer journal, vol. 47, No 6 (2004)
36. Zovi, D.A.D.: Harware virtualization rootkits. Black Hat Federal
2006, Washington D.C., January 25th (2006)
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
