“Shadow Walker” — Raising The Bar For Rootkit Detection presented at Blackhat USA 2005

by Jamie Butler,

Tags: Security

Summary : Last year at Black Hat, we introduced
the rootkit FU. FU took an unprecented approach to hiding not previously
seen before in a Windows rootkit. Rather than patching code or
modifying function pointers in well known operating system structures
like the system call table, FU demonstrated that is was possible to
control the execution path indirectly by modifying private kernel
objects in memory. This technique was coined DKOM, or Direct Kernel
Object Manipulation. The difficulty in detecting this form of attack
caused concern for anti-malware developers. This year, FU teams up with
Shadow Walker to raise the bar for rootkit detectors once again. In this
talk we will explore the idea of memory subversion. We demonstrate that
is not only possible to hide a rootkit driver in memory, but that it is
possible to do so with a minimal performance impact. The application
(threat) of this attack extends beyond rootkits. As bug hunters turn
toward kernel level exploits, we can extrapolate its application to
worms and other forms of malware. Memory scanners beware the axiom,
‘vidre est credere’ . Let us just say that it does not hold the same way
that it used to.