Detection of Rootkits: the Next Step

Everyone knows what a great challenge are modern rootkits. Millions of computers worldwide are infected with rootkit-based bots. Modern anti-virus and anti-rootkit solutions are useless to detect most of them. The common approach in recent years is the development of particular solutions detecting certain versions of some rootkit. Typically, these solutions do not work after the appearance of a new version of the rootkit.

Our company has conducted extensive research in the field of rootkit detection past 3 years. We concluded that the detection of rootkits is possible using virtualization technologies. The recent hardware virtualization technology Intel VT-x and AMD-V have facilitated this task.

We have designed Hypersight Rootkit Detector. It was the first Windows-based solution of this class. The first version of the program could intercept only a few actions, typical for rootkits: modification of control registers, modification of executable code, turning hardware virtualization on. It makes possible to detect many types of rootkits. Nevertheless, this was not enough. Detouring these interceptions was still possible from the rootkit side.

Now we are proposing a more generic criterion for detection of rootkits. For all rootkits, regardless of the technologies used (SSDT hooking, DKOM, DKOH, Shadow Walker, splicing), there is one common trait. They are executed on the processor. We have implemented the algorithm which performs basic checks on the code prior its execution. The technology was named Fast Code Test (FCT). The code executed at the privileged level, subjected to a number of basic checks. If checks fail, notification about undesirable activity is generated.

Currently, checks are quite simple. The code running outside of loaded drivers, kernel and HAL is considered as suspicious. This approach makes possible to detect the absolute majority of the currently known rootkits. Recent rootkits tend to run “covert” code in kernel non-paged pool in order to avoid detection by memory scanning. This is the activity detected by FCT.

Signature scanning and code whitelisting will be the further steps in the development of Fast Code Test.

Fast Code Test significantly complicates the task of writing "undetectable" rootkit. We plan to develop this technology in terms of productivity and efficiency. We hope it will help people to analyze new rootkits faster and more efficiently.