Rootkit攻防机制与实现方法

doi:10.11959/j.issn.1000-0801.2018298

Abstract

Abstract:

Rootkit is a set of malicious codes that can attack the system kernel and achieve deep hiding,which has posed serious threats to cyber security.Firstly,the basic features of Rootkit/Bootkit were introduced,and the characteristics of Rootkit attacks in user mode and kernel mode were compared and analyzed.Thereafter,the implementation principles and working mechanisms of Hook,DKOM and virtualization technologies involved in Rootkit attacks were emphatically analyzed.Combined with the specific attack behaviors,the main detection methods and defense techniques for Rootkit attacks were discussed at the end.

Key words: network attack and defense, malware, Rootkit, hooking attack, network security

CLC Number:

TP393

Fujuan LI,Qun WANG. Mechanism and implementation of Rootkit attack and defense[J]. Telecommunications Science, 2018, 34(12): 33-45.

Figures/Tables 5

References 27

[1]	JERLIN M A . A review on advanced evasion techniques[J]. International Journal of Pharmacy ＆ Technology, 2016,8(4): 4917-4924.
[2]	XIA H , XU Y , XIA H ,et al. Design and research of safety test model based on advanced evasion techniques[C]// Global Conference on Mechanics and Civil Engineering (GCMCE2017),April 21-23,2017,Nanjing,China.[S.l.:sn]. 2017: 92-96.
[3]	GURI M , POLIAK Y , SHAPIRA B ,et al. JoKER:trusted detection of Kernel Rootkits in android devices via JTAG interface[C]// IEEE Trustcom/BigDatase/ISPA,Aug 20-22,2015,Helsinki,Finland. Washington DC:IEEE Computer Society, 2015: 65-73.
[4]	DAMOPOULOS D , KAMBOURAKIS G , GRITZALIS S . iSAM:an iPhone stealth airborne malware[J]. IFIP Advances in Information ＆ Communication Technology, 2017: 17-28.
[5]	VETTER J , JUNKER-PETSCHICK M , NORDHOLZ J ,et al. Uncloaking Rootkits on mobile devices with a hypervisor-based detector[C]// International Conference on Information Security and Cryptology,March 10,2016,Seoul,South Korea. Berlin:Springer Press, 2016: 262-277.
[6]	张瑜, 刘庆中, 李涛 ,等. Rootkit研究综述[J]. 电子科技大学学报, 2015,44(4): 563-578.
	ZHANG Y , LIU Q Z , LI T ,et al. Research and development of Rootkit[J]. Journal of University of Electronic Science and Technology of China, 2015,44(4): 563-578.
[7]	RICHER T J , NEALE G , OSBORNE G . On the effectiveness of virtualisation assisted view comparison for Rootkit detection[C]// The 13th Australasian Information Security Conference July 7-9,2008,Sydney,Australia. Berlin:Springer Press, 2008: 35-44.
[8]	DAWSON J A , MCDONAID J T , SHROPSHIRE J ,et al. Rootkit detection through phase-space analysis of power voltage measurements[C]// International Conference on Malicious and Unwanted Software,Oct 11-14,2017,Fajardo,Puerto Rico. Piscataway:IEEE Press, 2017: 19-27.
[9]	YANG H Y , ZHUGE J W , LIU H M ,et al. A tool for volatile memory acquisition from android devices[C]// 12th IFIP WG 11.9 International Conference,September 20,2016,New Delhi,India. Berlin:Springer, 2016: 365-378.
[10]	JOY J , JOHN A , JOY J . Rootkit detection mechanism:a survey[J]. Communications in Computer ＆ Information Science, 2011(203): 366-374.
[11]	SYED R , GABRIEL L , MATT G ,et al. Advocating for hybrid intrusion detection prevention system and framework improvement[J]. Procedia Computer Science, 2016(95): 369-374.
[12]	SUN H M , WANG H , WANG K H ,et al. A native APIs protection mechanism in the Kernel mode against malicious code[J]. IEEE Transactions on Computers, 2011,60(6): 813-823.
[13]	SHAID S Z M , MAAROF M A . In memory detection of Windows API call hooking technique[C]// International Conference on Computer,Communications,and Control Technology,April 21-23,2015,Kuching,Malaysia. Piscataway:IEEE Press, 2015: 294-298.
[14]	WANG Y , GU D , LI W ,et al. Virus analysis on IDT hooks of Rootkits Trojan[C]// International Symposium on Information Engineering and Electronic Commerce,May 6-17,2009,Ternopil,Ukraine. Washington DC:IEEE Computer Society, 2009: 224-228.
[15]	PAN M R , CAO T J . Research on process hiding technology based on direct kernel object manipulation[J]. Computer Engineering, 2010,36(18): 138-140.
[16]	GRANISEWSKI W , ARCISXEWKI A . Performance analysis of selected hypervisors (virtual machine monitors-VMMs)[J]. International Journal of Electronics ＆ Telecommunications, 2016,62(3): 231-236.
[17]	UHLIG R , NEIGER G , RODGERS D ,et al. Intel virtualization technology[J]. Computer, 2005,38(5): 48-56.
[18]	KING S T , CHEN P M . Sub Virt:implementing malware with virtual machines[C]// 2006 IEEE Symposium on Security and Privacy,May 21-24,2006,Berkeley/Oakland,CA,USA. Washington DC:IEEE Computer Society, 2006: 314-327.
[19]	SERGEEV A , MINCHENKOV V , BASHUN V . Malicious hypervisor and hidden virtualization of operation systems[C]// International Conference on Application of Information and Communication Technologies,Oct 14-16,2015,Rostov on Don,Russia. Piscataway:IEEE Press, 2015: 178-182.
[20]	EMBLETON S , SPARKS S , ZOU C . SMM Rootkits:a new breed of OS independent malware[J]. Security ＆ Communication Networks, 2013,6(12): 1590-1605.
[21]	LUCKETT P , MCDONALD J T , DAWSON J . Neural network analysis of system call timing for Rootkit detection[C]// Cyber Security Symposium,April 18-20,2016,Coeur d’Alene,ID,USA. Piscataway:IEEE Press, 2016.
[22]	CASE A , III G G R . Advancing mac OS X Rootkit detection[J]. Digital Investigation, 2015(14): S25-S33.
[23]	ECKERT M , PODEORAD I , KLAUER B . Hardware based security enhanced direct memory access[Z]. 2017.
[24]	ZHU J , ZHOU T , WANG Q . Towards a novel approach for hidden process detection based on physical memory scanning[C]// Fourth International Conference on Multimedia Information Networking and Security,Nov 2-4,2012,Nanjing,China. Washington DC:IEEE Computer Society, 2012: 662-665.
[25]	MAENE P , GOTZFRIED J , CLERERCQ R D ,et al. Hardware-based trusted computing architectures for isolation and attestation[J]. IEEE Transactions on Computers, 2018,67(3): 361-374.
[26]	DESNOS A , FILIOL E , LEFOU I . Detecting (and creating!) a HVM Rootkit (aka blue Pill-like)[J]. Journal in Computer Virology, 2011,7(1): 23-50.
[27]	ZHANG L , SHETTY S , LIU P ,et al. Rootkit Det:practical end-to-end defense against kernel Rootkits in a cloud environment[C]// European Symposium on Research in Computer Security,September 10,2014,Wroclaw,Poland. Berlin:Springer, 2014: 475-493.

Metrics

Recommended 0

No Suggested Reading articles found!

Mechanism and implementation of Rootkit attack and defense

RichHTML

PDF下载

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 5

References 27

Related Articles 15

Metrics

Recommended 0

[1]	Le ZHANG, Hongyuan MA. Practice on edge cloud security of telecom operators [J]. Telecommunications Science, 2023, 39(4): 165-172.
[2]	Weixiong CHEN, Xiaochen YANG, Zengjun CHUN, Ruolan LI, Hua ZHANG. Research and practice of network security threat intelligence management system for power enterprise [J]. Telecommunications Science, 2022, 38(7): 184-189.
[3]	Yatian LIU, Bowen HU, Maofei CHEN, Dongxin LIU. Study on the 5GC security situational awareness system [J]. Telecommunications Science, 2022, 38(11): 73-85.
[4]	Xiaotong YE, Wenfei SUN, Shigen SHEN. Availability evaluation method for extended epidemic model and Markov chain based IoT [J]. Telecommunications Science, 2021, 37(4): 37-45.
[5]	Yue GU, Dan LI, Kaihui GAO. Research on network traffic classification based on machine learning and deep learning [J]. Telecommunications Science, 2021, 37(3): 105-113.
[6]	Liyue CHEN,Xin SUN,Tiansheng CHENG,Chunming WU,Shuangxi CHEN. Defense of hidden backdoor technology for Web [J]. Telecommunications Science, 2020, 36(5): 39-46.
[7]	Ming GAO,Jin LUO,Huiying ZHOU,Hai JIAO,Lili YING. A differential feedback scheduling decision algorithm based on mimic defense [J]. Telecommunications Science, 2020, 36(5): 73-82.
[8]	Yuanying XIAO,Yaodong YOU,Lixi XIANG. Causes and optimization of the false alarm rate of code review system [J]. Telecommunications Science, 2020, 36(12): 155-162.
[9]	Zhiqiang YANG,Li SU,Minpeng QI,Bo YANG. Overview and prospect of 5G security [J]. Telecommunications Science, 2020, 36(12): 1-19.
[10]	Guofeng HE. Application protection in 5G cloud network using zero trust architecture [J]. Telecommunications Science, 2020, 36(12): 123-132.
[11]	Ping XIE,Xiaosong LIU. Security of the deployment of SDN-based IoT using blockchain [J]. Telecommunications Science, 2020, 36(12): 139-146.
[12]	Hang YU,Shuai WANG,Huamin JIN. RASP based Web security detection method [J]. Telecommunications Science, 2020, 36(11): 113-120.
[13]	Junwen WANG. Technical requirement of future industrial internet [J]. Telecommunications Science, 2019, 35(8): 26-38.
[14]	ZHANG Hong,SHEN Shigen,WU Xiaojun,CAO Qiying. WSN malware infection model based on cellular automaton and static Bayesian game [J]. Telecommunications Science, 2019, 35(6): 60-69.
[15]	Cong LI, Bo LEI, Chongfeng XIE, Yunhe LI. Trustworthy network based on blockchain technology [J]. Telecommunications Science, 2019, 35(10): 60-68.