Defend against kernel malware

Kernel malware, commonly known as rootkits, are malicious applications that run in the kernel of the OS with absolute rights to system resources.  End user devices infected with this type of application are open to undetectable processes that can steal data, collect PII, and otherwise control the system regardless of the presence of any anti-virus or personal firewall software.

How kernel malware works
According to Kimmo Kasslin at F-Secure, there are two types of kernel malware infections in Microsoft Windows environments: full-kernel and semi-kernel (“Kernel Malware: The Attack from Within”, 2006).  Before jumping into a description of each, it’s important to review how Windows memory is managed from a system protection perspective.  See Figure 1.



Figure 1

Windows applications run in one of two modes: kernel mode or user mode.  Kernel mode applications perform tasks such as accessing hardware resources on behalf of a user application.  These applications typically have privileged access to system resources.  Because of this, user applications are run in user mode to protect the integrity of the operating system.  User mode applications, like word processors and Internet browsers, are unable to directly access hardware or protected OS services.  Rather, they must make calls to kernel libraries or drivers that ensure resource requests are executed on behalf of the user applications.  This separation of processing tasks is enforced at the hardware level.  Kernel malware circumvents this abstraction of privileges by running in kernel mode with direct access to all system services.  In other words, it has complete control of the infected system.  One attack vector is the installation of a malicious driver.

Malware running in full-kernel mode performs all tasks within the kernel layer.  Although it might need a little help from the user to get installed, once operational it performs its assigned tasks without further user intervention. 

Semi-kernel mode malware runs in both user mode and kernel mode.  One method of deployment consists of placing a .dll or .exe in user mode with access to a kernel mode driver.

According to Kasslin, there is a rise in popularity of kernel malware that coincides with the move of cyber criminals to a hacking-for-profit model.  The advantage to criminals is that kernel malware is usually undetectable when using standard antivirus and antispyware applications.

Mounting a defense
The first line of defense is denying local administrator access to PC users.  If an attacker can’t take advantage of user privileges to install kernel-based software, the level of effort required to compromise the PC might be high enough to encourage him to find a softer target.  In addition, management should ensure user awareness of the dangers of clicking on unknown links and consenting to the installation of unauthorized software.

Another important control is the implementation of a personal firewall on all workstations.  This can help prevent self-propagating infections from spreading.  It should be coupled with a strong patch management process.  Patching helps eliminate software flaws that can be used to inject malicious kernel code.

Also, consider prohibiting the installation of any unsigned drivers.  Installation of malicious drivers is a favorite method of placing kernel malware on target systems.

Please see “Mount a Rootkit Defense” for more information on this growing threat.



Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be publish...

Editor's Picks