Challenges in kernel-mode memory scanning presented at Virus Bulletin 2009

by Aditya Kapoor (McAfee),


Summary : "Recent times have seen a rapid adoption of kernel-mode techniques among malware. Most new threats have at least one
kernel-mode component if they do not operate entirely from the kernel. Kernel-mode memory scanners have become an imperative
component of AV. This article presents a novel approach for kernel-mode memory scanning. We will reveal for the first time
Avert Labs' patent-pending 'hook-based' memory scanning technology. We first explain the requirements for a memory
scanner and then discuss the challenges we faced during implementation.
Obviously, an anti-virus scanner should be able to identify and clean a rootkit when the rootkit is running. The challenge lies not only in detecting that something suspicious is hidden on the system in all cases, but also in
detection based on the bytes of the rootkit in order to classify them into specific families and in a short amount
of time. We will discuss how we create efficient and extremely generic memory footprints.
Another challenge is to remove the rootkit once detected. An elegant scanner should make every attempt possible to
remove the rootkit safely without rebooting the computer. To achieve this, in most cases there is a need to restore
any modifications made by the rootkit. For example, if the scanner can restore user-mode and kernel-mode hooks the
rootkit may be deleted without the need for a system reboot. The method to restore the hook is a challenging problem
to solve. We will explain how this technology enables us to achieve dynamic memory restoration even in the most complex
of cases like Mebroot (aka StealthMBR, Cutwail etc.). This is often a requirement in many enterprise environments where
there are critical servers that administrators are reluctant to reboot. Finally, we outline the advantages of this approach - such as how it eliminates the need for us to release stand-alone tools
for specific threats, allowing us to deliver robust solutions through normal signature updates.