Dual-mode kernel rootkit scan and recovery with process ID Brute-Force

Ji Won Choi; Sang Jun Park; Seong Jin Byeon; Dongho Kim

doi:10.1166/asl.2017.8624

Dual-mode kernel rootkit scan and recovery with process ID Brute-Force

Ji Won Choi, Sang Jun Park, Seong Jin Byeon, Dongho Kim

Software Education Institute

Dongguk University

Research output: Contribution to journal › Article › peer-review

2 Scopus citations

Abstract

Rootkit is a malware that attacks a system continuously by hiding files, processes, and registries in a system. DKOM (Direct Kernel Object Manipulation) is a process hiding technique that manipulates a kernel object. AL-DKOM (All Link—Direct Kernel Object Manipulation) is an extended version of DKOM that manipulates all the modifiable links in the kernel object. It is difficult to detect with existing tools. This paper designed and implemented a new AL-DKOM detection system using dual-mode operation and PIDB-based process scan that was not possible with existing List Walking method. In addition, we explain the recovery procedure of the infected system and flexible system management via process recovery that has not been tried before. We then show the performance of the new system by comparing and analyzing the effectiveness of the new system and existing rootkit scanning tools with real rootkit samples.

Original language	English
Pages (from-to)	1568-1572
Number of pages	5
Journal	Advanced Science Letters
Volume	23
Issue number	3
DOIs	https://doi.org/10.1166/asl.2017.8624
State	Published - Mar 2017

Keywords

AL-DKOM
Dual-mode
PIDB
Rootkit

Access to Document

10.1166/asl.2017.8624

Cite this

@article{6540003e6d3d4474a4d372463ece5ac4,

title = "Dual-mode kernel rootkit scan and recovery with process ID Brute-Force",

abstract = "Rootkit is a malware that attacks a system continuously by hiding files, processes, and registries in a system. DKOM (Direct Kernel Object Manipulation) is a process hiding technique that manipulates a kernel object. AL-DKOM (All Link—Direct Kernel Object Manipulation) is an extended version of DKOM that manipulates all the modifiable links in the kernel object. It is difficult to detect with existing tools. This paper designed and implemented a new AL-DKOM detection system using dual-mode operation and PIDB-based process scan that was not possible with existing List Walking method. In addition, we explain the recovery procedure of the infected system and flexible system management via process recovery that has not been tried before. We then show the performance of the new system by comparing and analyzing the effectiveness of the new system and existing rootkit scanning tools with real rootkit samples.",

keywords = "AL-DKOM, Dual-mode, PIDB, Rootkit",

author = "Choi, {Ji Won} and Park, {Sang Jun} and Byeon, {Seong Jin} and Dongho Kim",

year = "2017",

month = mar,

doi = "10.1166/asl.2017.8624",

language = "English",

volume = "23",

pages = "1568--1572",

journal = "Advanced Science Letters",

issn = "1936-6612",

publisher = "American Scientific Publishers",

number = "3",

}

TY - JOUR

T1 - Dual-mode kernel rootkit scan and recovery with process ID Brute-Force

AU - Choi, Ji Won

AU - Park, Sang Jun

AU - Byeon, Seong Jin

AU - Kim, Dongho

PY - 2017/3

Y1 - 2017/3

N2 - Rootkit is a malware that attacks a system continuously by hiding files, processes, and registries in a system. DKOM (Direct Kernel Object Manipulation) is a process hiding technique that manipulates a kernel object. AL-DKOM (All Link—Direct Kernel Object Manipulation) is an extended version of DKOM that manipulates all the modifiable links in the kernel object. It is difficult to detect with existing tools. This paper designed and implemented a new AL-DKOM detection system using dual-mode operation and PIDB-based process scan that was not possible with existing List Walking method. In addition, we explain the recovery procedure of the infected system and flexible system management via process recovery that has not been tried before. We then show the performance of the new system by comparing and analyzing the effectiveness of the new system and existing rootkit scanning tools with real rootkit samples.

AB - Rootkit is a malware that attacks a system continuously by hiding files, processes, and registries in a system. DKOM (Direct Kernel Object Manipulation) is a process hiding technique that manipulates a kernel object. AL-DKOM (All Link—Direct Kernel Object Manipulation) is an extended version of DKOM that manipulates all the modifiable links in the kernel object. It is difficult to detect with existing tools. This paper designed and implemented a new AL-DKOM detection system using dual-mode operation and PIDB-based process scan that was not possible with existing List Walking method. In addition, we explain the recovery procedure of the infected system and flexible system management via process recovery that has not been tried before. We then show the performance of the new system by comparing and analyzing the effectiveness of the new system and existing rootkit scanning tools with real rootkit samples.

KW - AL-DKOM

KW - Dual-mode

KW - PIDB

KW - Rootkit

UR - http://www.scopus.com/inward/record.url?scp=85018562778&partnerID=8YFLogxK

U2 - 10.1166/asl.2017.8624

DO - 10.1166/asl.2017.8624

M3 - Article

AN - SCOPUS:85018562778

SN - 1936-6612

VL - 23

SP - 1568

EP - 1572

JO - Advanced Science Letters

JF - Advanced Science Letters

IS - 3

ER -

Dual-mode kernel rootkit scan and recovery with process ID Brute-Force

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this