Dynamic Detection of Process-Hiding Kernel Rootkits

Free registration required

Executive Summary

Stealth rootkits that hide themselves on victim systems pose a major threat to computer systems. They are usually evasive as they use sophisticated stealth techniques to conceal files, processes, kernel modules, and other types of objects, making it extremely challenging to detect their presence in the victim system. However, current detection techniques are mostly system-specific and ineffective for unknown rootkits. In this paper, the authors present the design, implementation and evaluation of XView, a dynamic cross-view based approach to detect rootkits by identifying hidden processes. To this end, they continuously maintain a list of active processes outside the monitored system, and compare it with the list reported by the guest system.

  • Format: PDF
  • Size: 374.8 KB