VICE was designed to detect hooks, but there are legitimate uses of hooks in the operating system. However, VICE's biggest weakness may be the large number of false positives it returns. Another attack has targeted VICE's communication channel between the user mode portion and the device driver. When the rootkit detects the VICE process, it does not hook so VICE has nothing to detect. Rootkits have leveraged the fact that VICE always executes with a specific process name. The current version of VICE has been targeted and subverted by at least one public rootkit. NET Framework installed, which is free for download. To run VICE, the host machine must have the Microsoft. Today, VICE will detect most publicly known Windows rootkits and any stealth related technology that uses hooking technologies. When possible, VICE will also display the full path on the filesystem of the DLL or device driver doing the hooking so that a System Administrator can remove the malicious software. VICE will resolve what function is being hooked and the address of the hooking function. Inline function hooks are detected in DLL functions imported by applications and in the SSDT functions themselves. In user mode, VICE checks the address space of every application looking for IAT hooks in every DLL that the application uses. If a function pointer in the IRP major function table of a driver does not consist of an address within the driver, then the IRP has been hooked by an outside driver or piece of kernel code. Also, you can add devices to the file "driver.ini," and VICE will check the IRP major function table of the corresponding driver. In the kernel, VICE checks the SSDT for function pointers that do not resolve to ntoskrnl.exe. It is a standalone program that installs a device driver to analyze both user mode applications and the operating system kernel. VICE is a freeware tool written to detect hooks. In this section we examine two such tools: VICE and Patchfinder. Various heuristics have been proposed for identifying rootkits based upon execution path hooking. They work by recognizing deviations in "normal" system patterns or behaviors. Their primary advantage lies in their ability to identify new, previously unidentified rootkits. Where signature based detections fall short, heuristic detections take over. Finally, signature based detection methods are useless against Virtual Memory Manager (VMM) hooking rootkits like Shadow Walker which are capable of controlling the memory reads of a scanner application. The key words in that last sentence, however, are "public rootkits" because signature based detection is, by definition, useless against malware for which a known signature does not exist. Thus, a scan of kernel memory should trivially identify most public kernel rootkits regardless of their underlying "bag of tricks" (DKOM, SSDT, IDT hooking and the like). As kernel drivers, they typically reside in non-paged memory and few, if any, make an effort towards any kind of polymorphic code obfuscation. Ironically, most public kernel rootkits are susceptible to signature scans of kernel memory. This is due to the rootkit's natural propensity to hide files using execution path hooking techniques.ĭespite their antiquity, signature based detections are worth mentioning because they may be applied with success to scanning system memory in addition to filesystem scanning. As signature scanning has traditionally been applied to the filesystem, its usefulness for rootkit detection is limited unless it is combined with some more advanced detection techniques. If the signature is found in a file on the user's system, it signals an infection. System files are scanned for a sequence of bytes that comprise a "fingerprint" that is unique to a particular rootkit. Signature based detection methods have been in use by antiviral products for years. Now in part three, we explore five such detection techniques and, where possible, provide information about different rootkit detection tools. Part two examined the latest cutting-edge rootkit technologies and how they achieve stealth. Part one looked at what Windows rootkits are and what makes them so dangerous. Although once a computer system has been subverted by a rootkit it is extremely difficult to detect or eradicate the rootkit, there are still some different methodologies that detect the rootkit that have worked to varying degrees. Rootkits have become very sophisticated over the past few years, and in 2005 we have seen a surge in rootkit deployments in spyware, worms, botnets, and even music CDs. ![]() Additionally, nine different tools designed for administrators are discussed. The third and final article in this series explores five different rootkit detection techniques used to discover Windows rootkit deployments.
0 Comments
Leave a Reply. |