On the Effectiveness of Virtualisation Assisted View Comparison for Rootkit Detection
There is growing interest in tools for monitoring virtualization infrastructure and detecting malware within Virtual Machines (VMs). View comparison, or cross view validation, is a technique for detecting object hiding by malware. It involves comparing different views of system objects to and discrepancies that might indicate the use of object hiding techniques. The authors present Linebacker, a system for performing view comparison on VMware vSphere VMs. Linebacker compares external (i.e. hypervisor level) and internal (i.e. guest operating system level) views of process, file and registry objects within VMs to detect rootkits that cloak such objects from the view of the guest operating system.