2007
DOI: 10.1007/s11416-007-0069-6
|View full text |Cite
|
Sign up to set email alerts
|

Rootkit modeling and experiments under Linux

Abstract: This article deals with rootkit conception. We show how these particular malicious codes are innovative comparing to usual malware like virus, Trojan horses, etc. From that comparison, we introduce a functional architecture for rootkits. We also propose some criteria to characterize a rootkit and thus, to qualify and assess the different kinds of rootkits. We purposely adopt a global view with respect to this topic, that is, we do not restrict our study to the rootkit software. Namely, we also consider the com… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1

Citation Types

0
32
0

Year Published

2009
2009
2024
2024

Publication Types

Select...
2
2
1

Relationship

1
4

Authors

Journals

citations
Cited by 7 publications
(32 citation statements)
references
References 10 publications
0
32
0
Order By: Relevance
“…To insert itself into the kernel control flow, in-memory rootkits either hook into legitimate kernel functions [10], [35], [52] or modify kernel data structures [13], [14], [29]. To detect this type of subversion, kernel level rootkit detectors first build a ground truth on a set of kernel invariants and then detect any alteration of these invariants [30], [72], [73], [78].…”
Section: Related Workmentioning
confidence: 99%
“…To insert itself into the kernel control flow, in-memory rootkits either hook into legitimate kernel functions [10], [35], [52] or modify kernel data structures [13], [14], [29]. To detect this type of subversion, kernel level rootkit detectors first build a ground truth on a set of kernel invariants and then detect any alteration of these invariants [30], [72], [73], [78].…”
Section: Related Workmentioning
confidence: 99%
“…Some attackers, in order to install kernel rootkits [2], copy the IDT, then modify this copy to finally load its address into the idtr register of the processor (thus replacing the previous one) [28]. This last action is malicious and is part of this class.…”
Section: Class 2-alteration Of the Execution Environment Memory -Clasmentioning
confidence: 99%
“…3.1, kernel features that directly provide write access to any region of the kernel space (such as the kernel module loader, the /dev/kmem or /dev/mem devices in the Linux case) are broadly used by lots of malware to inject themselves into the kernel memory space [2]. These features must obviously be controlled.…”
Section: Control Of the Access Vectors To The Kernel Memorymentioning
confidence: 99%
See 1 more Smart Citation
“…Reference [1] defines the rootkit as "a set of modifications that allow an attacker to maintain along the time a fraudulent control of the information system". Typically, a rootkit should have the following basic functions by modifying a system: one is to provide malicious backdoor services; the other is to hide itself to evade the security detection.…”
mentioning
confidence: 99%