reference

最新推荐文章于 2023-05-20 14:19:26 发布

longcanada

最新推荐文章于 2023-05-20 14:19:26 发布

阅读量7.5k

点赞数

分类专栏： reference 文章标签： reference security microsoft classification windows internet

本文链接：https://blog.csdn.net/longcanada/article/details/7279227

版权

reference 专栏收录该内容

2 篇文章 0 订阅

订阅专栏

A New Procedure to Help System/Network Administrators
Identify Multiple Rootkit Infections

desmondlobo@students.ballarat.edu.au, {p.watters, x.wu}@ballarat.edu.au

[1]
L. Wang and P. Dasgupta, “Kernel and Application Integrity
Assurance: Ensuring Freedom from Rootkits and Malware in a
Computer System”, Proceedings of the 21st International Conference
on Advanced Information Networking and Applications Workshops,
2007, IEEE Computer Society

A. Emigh, “The Crimeware Landscape: Malware, Phishing, Identity
Theft and Beyond”, Journal of Digital Forensic Practice, Vol. 1(3),
Sept. 2006, pp. 245-260
M. Alvarez, M. Vucelich, and L. Johnson, “IBM Internet Security
Systems X-Force Threat Insight Monthly”, July 2008, IBM
Corporation
G. Hoglund, and J. Butler, “Rootkits: Subverting the Windows
Kernel”, 2005, Addison-Wesley Professional
D. Lobo, P. Watters and X. Wu, (in press) “RBACS: Rootkit
Behavioral Analysis and Classification System”, Proceedings of the
Third International Conference on Knowledge Discovery and Data
Mining, 2010, IEEE Computer Society
J. C. Whitehead, “An Introduction to Logistic Regression”, Retrieved
October 8, 2009 from http://www.appstate.edu/~whiteheadjc/
D. Olson and Y. Shi, “Introduction to Business Data Mining”, 2007,
McGraw-Hill Irwin
M. H. Dunham, “Data Mining: Introductory and Advanced Topics”,
2003, Pearson Education
G. Shmueli, N. R. Patel, and P. C. Bruce, “Data Mining for Business
Intelligence: Concepts, Techniques, and Applications in Microsoft
Office Excel with XLMiner”, 2007, John Wiley & Sons
I. H. Witten and E. Frank, “Data Mining: Practical machine learning
tools and techniques”, 2nd Edition, 2005, Morgan Kaufmann
J. Z. Kolter, “Learning to Detect and Classify Malicious Executables
in the Wild”, The Journal of Machine Learning Research, Vol. 7,
Dec. 2006, pp. 2721-2744
U. Bayer, P. Milani Comparetti, C. Hlauschek, C. Kruegel and E.
Kirda, “Scalable, Behavior-Based Malware Clustering”, Proceedings
of the 16th Annual Network & Distributed System Security
Symposium, 2009
M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian and J.
Nazario, 2007, “Automated Classification and Analysis of Internet
Malware”, Recent Advances in Intrusion Detection, Lecture Notes in
Computer Science, Vol. 4637, pp. 178-197, Springer
T. Fawcett and F. Provost, “Combining Data Mining and Machine
Learning for Effective User Profiling”, Proceedings of the Second
International Conference on Knowledge Discovery and Data Mining,
1996, Association for the Advancement of Artificial Intelligence
P. Huntington, D. Nicholas, and P. Williams, “Characterising and
profiling health Web user and site types: going beyond hits”, Aslib
Proceedings, Vol. 55, Issue 5/6, 2003, pp. 277-289
D. L. Pepyne, J. Hu, and W. Gong, “User Profiling for Computer
Security”, Proceeding of the American Control Conference, Vol. 2,
2004, pp. 982-987, IEEE Xplore

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

A Windows Rootkit Detection Method Based on
Cross-View

Hoglund G, Butler J. Rootkits: Subverting the Windows Kernel[M].
Addison Wesley Professional,2005
Dkom
Process
Hider[OL],
http://www.rohitab.com/discuss/index.php?showtopic=23880
Joanna Rutkowska. Advanced Windows 2000 Rootkit Detection
Joanna Rutkowska[OL].Thoughts about Cross-View based Rootkit
Detection
Intel, IA32 Intel Architeture Softwares Developer’s Manual[M], vol 1-3
Gary Nebbett, Windows NT/2000 Native API Reference[M], Macmillan
Technical Publishing,2001
FUrootkit[OL
].
http
:/
/
www.
rootkit.
com/vault/fuzen_op/FU_Rootkit.z

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Detecting (and creating !) a HVM rootkit (aka BluePill-like)

A. Desnos · I. Lefou
Laboratoire de Sécurité de l’Information et des Systèmes (SI&S),
ESIEA, Paris, France
e-mail: desnos@esiea.fr
I. Lefou
e-mail: ivanlefou@esiea.fr
É. Filiol (B)
Laboratoire de Virologie et Cryptologie Opérationnelles (C + V )o ,
ESIEA, Paris, France
e-mail: filiol@esiea.fr

1. Advanced Micro Devices. Amd64 architecture programmer’s
manual, vol. 2: System programming. 15 Secure Virtual Machine
2. Advanced Micro Devices. Amd64 architecture programmer’s
manual, vol. 2: System programming. 15.23 External Access Pro-
tection
3. Anonymous. Runtime process infection. phrack 59-0x08
4. Anonymous author. Runtime process infection. Phrack Mag. 8(59),
(2002)
5. Anonymous author. Building ptrace injecting shellcodes. Phrack
Mag. 12(59), (2002)
6. Barbosa, E.: Detecting bluepill. SyScan’07
7. Bareil, N.: Playing with ptrace() for fun and profit. http://actes.
sstic.org/SSTIC06/Playing_with_ptrace/SSTIC06-article-Bareil-
Playing_with_ptrace.pdf
8. Bochs: highly portable open source ia-32 (x86) pc emulator. http://
bochs.sourceforge.net/
9. Brian Carrier. Open source digital investigation tools. http://www.
sleuthkit.org
10. Casek. http://www.uberwall.org
11. Core Security Technologies. Coreimpact outil de test d’intrusion.
http://www.coresecurity.com/content/core-impact-overview
12. Desnos Guihéry Salaün. Sanson the headman. (2008). http://
sanson.kernsh.org
13. Dornseif, M.: All your memory are belong to us. Cansecwest 2005
14. Dralet, S., Gaspard, F.: Corruption de la mémoire lors de l’exploi-
tation. In: SSTIC 06, 2006

15. Filiol, E.: A formal model proposal for malware program stealth.
Virus Bulletin Conference Proceedings, Vienna, 2007
16. Filiol, É.: Techniques virales avancées. Collection IRIS, Springer,
France, 2008
17. Filiol, E., Josse, S.: A statitical model for undecidable viral detec-
tion. In: Broucek, V., Turner, P. (eds.) Eicar 2007 Special Issue.
J. Comp. Virol. (3), 2, 65–74 (2007)
18. Gaspard, F., Dralet, S.: Technique anti-forensic sous linux: utilisa-
tion de la mémoire vive. Misc (25), (2005)
19. grugq. Remote exec. Phrack Mag. 11(62) (2004)
20. Input/output memory management unit. http://en.wikipedia.org/
wiki/iommu
21. Intel. Intel 64 and ia-32 Architectures Software Developer’s Man-
ual, Chap. 19. Introduction to virtual-machine extensions
22. Joanna. Site web de bluepill. http://www.bluepillprojet.org
23. King, S.T., Chen, P.M., Wang, Y.-M., Verbowski, C., Wang, H.J.,
Lorch, J.R.: Subvirt: implementing malware with virtual machines.
University of Michigan and Microsoft Research. Available at http://
www.eecs.umich.edu/~pmchen/papers/king06.pdf
24. Microsoft Windows. Driver signing requirements for windows.
http://www.microsoft.com/whdc/winlogo/drvsign/drvsign.mspx
25. Myers, M., Youndt, S.: An introduction to hardware-assisted virtual
machine (HVM) rootkits. http://crucialsecurity.com
26. Northsecuritylabs. Hypersight rootkit detector. http://www.
northsecuritylabs.com
27. Pluf. Perverting unix processes. (2006). http://7a69ezine.org/docs/
7a69-PUP.txt
49
28. Pluf and Ripe. Advanced antiforensics: self. Phrack Mag. 11(63)
(2005)
29. ptrace(2)—Linux man page. http://linux.die.net/man/2/ptrace
30. Qemu: open source processor emulator. http://bellard.org/qemu/
31. Rutkowska, J.: Subverting Vista Kernel for Fun and Profit. 2006.
SyScan’06 & BlackHat Briefings (2006)
32. Rutkowska, J., Tereshkin, A.: Isgameover() anyone? 2007. Black-
Hat Briefings (2007)
33. Rutkowski, J.K.: Execution path analysis: finding kernel based
rootkits. Phrack Mag. 13(59) (2002)
34. Salaün, D.G.: Sanson the headman. Rapport Interne Ifsic (2007)
35. sk devik. Rootkit linux kernel /dev/kmem. http://packetstormse
curity.org/UNIX/penetration/rootkits/suckit2priv.tar.gz
36. Stealth. Rootkit linux kernel lkm. http://packetstormsecurity.org/
groups/teso/adore-ng-0.41.tgz
37. The ERESI team. The eresi reverse engineering software interface.
http://www.eresi-project.org
38. The Grugq. The design and implementation of userland exec.
(2004) http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/
2004-01/0004.html
39. Tripwire. Configuration audit and control solutions. http://www.
tripwire.com
40. Virtualpc.
http://www.microsoft.com/windows/products/win
family/virtualpc/default.mspx
41. Vmware. http://www.vmware.com/
42. Vmware esx. http://www.vmware.com/fr/products/vi/esx/
43. Xen. http://www.xen.org/

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Detecting Malicious Rootkit Web Pages in High-interaction Client Honeypots

Hengya Liu,Dongmei Zhang Gengyu Wei,Jinxin Zhong
Faculty of Compute Science and Technology
Beijing University of Posts and Telecommunications
Beijing, China
E-mail: thewallflowers@sina.com,
zhangdm@bupt.edu.cn

Gengyu Wei,Jinxin Zhong

Beijing, China
E-mail: weigengyu@vip.sina.com,
Jinxinzhong@gmail.com

Taxonomy of Honeypots, Technical Report CS-TR-06/12, Christian
Seifert, Ian Welch, Peter Komisarczuk. June 2006.
Know your Enemy: Malicious Web Servers. Christian Seifert, Ramon
Steenson, Ian Welch, Peter Komisarczuk,
Hoglund[EB/OL].(2005-10-20).
https://www.rootkit.com/vault/hoglund/rk_044.zip
Wang,K.Honeyclient,Version 0.1.1.http://www.honeyclient.org/
HoneyMonkey.
[Online].
Available
at:
http://en.wikipedia.org/wiki/HoneyMonkey
UWSpycrawler
[Online].
Available
at:
http://en.wikipedia.org/wiki/Client_honeypot
Capture – A behavioural analysis tool for applications and documents.
Christian Seifert, Ian Welch, Peter
Alexander Moshchuk,Tanya Bragin,Steven D,Gribble,and Henry
M.Levy.A Crawler-based Study of Spyware on the Web.In
Proceedings of the 2006 Network and Distributed System Security
Symposium, pages17–33, February 2006.
Honeypots, Christian Seifert, Ian Welch, Peter Komisarczuk. March
16 2008.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Identifying Rootkit Infections Using Data Mining

Desmond Lobo, Paul Watters and Xin-Wen Wu
Internet Commerce Security Laboratory
Graduate School of Information Technology and Mathematical Sciences
University of Ballarat, Australia
desmondlobo@students.ballarat.edu.au, {p.watters, x.wu}@ballarat.edu.au

A. Emigh, “The Crimeware Landscape: Malware, Phishing, Identity
Theft and Beyond”, Journal of Digital Forensic Practice, Vol. 1(3), Sept.
2006, pp. 245-260
[2] M. Alvarez, M. Vucelich, and L. Johnson, “IBM Internet Security
Systems X-Force Threat Insight Monthly”, July 2008, IBM Corporation
[3] L. Wang and P. Dasgupta, “Kernel and Application Integrity Assurance:
Ensuring Freedom from Rootkits and Malware in a Computer System”,
Proceedings of the 21st International Conference on Advanced
Information Networking and Applications Workshops, 2007, IEEE
Computer Society
[4] Symantec, “Cyber Crime has Surpassed Illegal Drug Trafficking as a
Criminal Moneymaker; 1 in 5 will become a Victim”, Symantec
Corporation Press Release, Retrieved December 5, 2009 from
http://www.symantec.com
[5] McAfee, “Rootkits - Part 1 of 3: The Growing Threat”, McAfee Inc.,
Apr. 2006
[6] OECD, “Malicious Software (Malware): A Security Threat to the
Internet Economy”, Organization for Economic Co-operation and
Development, June 2008, OECD Ministrial Meeting on the Future of the
Internet Economy
[7] D. Lobo, P. Watters and X. Wu “RBACS: Rootkit Behavioral Analysis
and Classification System”, Proceedings of the Third International
Conference on Knowledge Discovery and Data Mining, 2010, IEEE
Computer Society
[8] D. Lobo, P. Watters and X. Wu (in press) “A New Procedure to Help
System/Network Administrators Identify Multiple Rootkit Infections”,
Proceedings of the Second International Conference on Communication
Software and Networks, 2010, IEEE Computer Society
[9] M. E. Russinovich and D. A. Solomon, “Microsoft Windows Internals”,
4th Edition, 2005, Microsoft Press
[10] K. Kasslin, M. Stahlberg, S. Larvala and A. Tikkanen, “Hide ‘n Seek
Revisited – Full Stealth is Back”, Proceedings of the Virus Bulletin
Conference, 2005
[11] G. Hoglund, and J. Butler, “Rootkits: Subverting the Windows Kernel”,
2005, Addison-Wesley Professional
[12] C. Ries, “Inside Windows Rootkits”, VigilantMinds, 2006
[13] W3Schools, “OS Platform Statistics”, Retrieved October 10, 2009 from
http://www.w3schools.com
[14] I. H. Witten and E. Frank, “Data Mining: Practical Machine Learning
Tools and Techniques”, 2nd Edition, 2005, Morgan Kaufmann
[15] Y. Yang, X. Guan and J. You, “CLOPE: A Fast and Effective Clustering
Algorithm fo Transactional Data”, Proceedings of the Eighth
International Conference on Knowledge Discovery and Data Mining,
2002, ACM Special Interest Group on Knowledge Discovery and Data
Mining
[16] M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian and J.
Nazario, “Automated Classification and Analysis of Internet Malware”,
Recent Advances in Intrusion Detection, Lecture Notes in Computer
Science, Vol. 4637, 2007, pp. 178-197, Springer
[17] U. Bayer, P. Milani Comparetti, C. Hlauschek, C. Kruegel and E. Kirda,
“Scalable, Behavior-Based Malware Clustering”, Proceedings of the
16th Annual Network and Distributed System Security Symposium, Feb.
2009
[18] J. R. Quinlan, “Induction of Decision Trees”, Machine Learning, Vol. 1,
Mar. 1986, pp. 81-106
[19] M. H. Dunham, “Data Mining: Introductory and Advanced Topics”,
2003, Pearson Education
[20] M. G. Schultz, E. Eskin, E. Zadok and S. J. Stolfo, “Data Mining
Methods for Detection of New Malicious Executables”, Proceedings of
the 2001 IEEE Symposium on Security and Privacy, IEEE Computer
Society
[21] J. Z. Kolter and M. A. Maloof, “Learning to Detect and Classify
Malicious Executables in the Wild”, Journal of Machine Learning
Research, Vol. 7, Dec. 2006, pp. 2721-2744
[22] M. Siddiqui, M. C. Wang and Joohan Lee, “Detecting Internet Worms
Using Data Mining Techniques”, Journal of Systemics, Cybernetics and
Informatics, Vol, 6, No. 6, 2008, pp. 48-53
[23] M. Morgenstern and T. Brosch, “Runtime Packers: The Hidden
Problem?”, Proceedings of Black Hat USA, 2006
[24] R. Lyda and J. Hamrock, “Using Entropy Analysis to Find Encrypted
and Packed Malware”, IEEE Security and Privacy, Vol. 5, Issue 2,
March 2007, pp. 40-45
[25] K. Rieck, T. Holz, C. Willems, P. Dussel and P. Laskov, 2008,
"Learning and Classification of Malware Behavior", Detection of
Intrusions and Malware, and Vulnerability Assessment, Lecture Notes in
Computer Science, Vol. 5137, pp. 108-125, Springer
[26] H. Yin, Z. Liang and D. Song, “HookFinder: Identifying and
Understanding Malware Hooking Behaviors”, Proceedings of the 15th
Annual Network and Distributed System Security Symposium, Feb.
2008

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

RBACS: Rootkit Behavioral Analysis and Classification System

Desmond Lobo, Paul Watters and Xinwen Wu
Internet Commerce Security Laboratory
University of Ballarat
Ballarat, Australia
desmondlobo@students.ballarat.edu.au, {p.watters, x.wu}@ballarat.edu.au

A. Emigh, “The Crimeware Landscape: Malware, Phishing,
Identity Theft and Beyond”, Journal of Digital Forensic
Practice, Vol. 1(3), Sept. 2006, pp. 245-260
McAfee, “Rootkits - Part 1 of 3: The Growing Threat”,
McAfee Inc., Apr. 2006
OECD, “Malicious Software (Malware): A Security Threat to
the Internet Economy”, Organization for Economic Co-
operation and Development, June 2008, OECD Ministrial
Meeting on the Future of the Internet Economy
F. Cohen, “Computer Viruses: Theory and Experiments”,
Computer and Security, Vol. 6(1), Feb. 1987, pp. 22-35,
Elsevier Advanced Technology Publications
J. F. Levine, J. B. Grizzard, and H. L. Owen, “Detecting and
Categorizing Kernel-Level Rootkits to Aid Future Detection”,
IEEE Security & Privacy, Vol. 4(1), Jan. 2006, pp. 24-32
H. Thimbleby, S. Anderson, and P. Cairns, “A Framework for
Modelling Trojans and Computer Virus Infection”, Computer
Journal, Vol. 41(7), 1998, pp. 444-458, British Computer
Society
K. Rieck, T. Holz, C. Willems, P. Düssel1 and P. Laskov,
2008, "Learning and Classification of Malware Behavior",
Detection of Intrusions and Malware, and Vulnerability
Assessment, Lecture Notes in Computer Science, Volume
5137, pp. 108-125, Springer
S. Hultquist, “Rootkits: the next big enterprise threat?”,
Information Age, Aug./Sept. 2007
W. Fu, J. Pang, R. Zhao, Y. Zhang and B. Wei, "Static
Detection of API-Calling Behavior from Malicious Binary
Executables", Proceedings of the International Conference on
Computer and Electrical Engineering, 2008, pp. 388-392,
IEEE Computer Society
M. Christodorescu and and S. Jha, “Static analysis of
executables to detect malicious patterns”, Proceedings of the
12th conference on USENIX Security Symposium, Vol. 12,
2003
M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian
and J. Nazario, 2007, “Automated Classification and Analysis
of Internet Malware”, Recent Advances in Intrusion
Detection, Lecture Notes in Computer Science, Vol. 4637,
pp. 178-197, Springer
G. Hoglund, and J. Butler, “Rootkits: Subverting the
Windows Kernel”, 2005, Addison-Wesley Professional
I. H. Witten and E. Frank, “Data Mining: Practical machine
learning tools and techniques”, 2nd Edition, 2005, Morgan
Kaufmann
J. Z. Kolter, “Learning to Detect and Classify Malicious
Executables in the Wild”, The Journal of Machine Learning
Research, Vol. 7, Dec. 2006, pp. 2721-2744
U. Bayer, P. Milani Comparetti, C. Hlauschek, C. Kruegel
and E. Kirda, “Scalable, Behavior-Based Malware
Clustering”, Proceedings of the 16th Annual Network &
Distributed System Security Symposium, 2009
D. Beck and J. Connolly, “The Common Malware
Enumeration Initiative”, Proceedings of the Virus Bulletin
Conference, 2006

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Windows Rootkits: Attacks and Countermeasures

Desmond Lobo Paul Watters
Internet Commerce Security Laboratory Internet Commerce Security Laboratory
Graduate School of Information Technology and Graduate School of Information Technology and
Mathematical Sciences Mathematical Sciences
University of Ballarat, Australia University of Ballarat, Australia
desmondlobo@students.ballarat.edu.au p.watters@ballarat.edu.au
Xin-Wen Wu Li Sun
School of Information and Communication Technology School of Mathematical and Geospatial Sciences
Griffith University, Australia RMIT University, Australia
x.wu@griffith.edu.au lisun01@gmail.com

M. Alvarez, M. Vucelich, and L. Johnson, “IBM Internet Security
Systems X-Force Threat Insight Monthly”, July 2008, IBM
Corporation
N. A. Quynh, and Y. Takefuji, “Towards a Tamper-Resistant Kernel
Rootkit Detector”, Symposium on Applied Computing, Proceedings
of the 2007 ACM Symposium on Applied Computing, pp. 276-283,
Seoul, South Korea
W3Schools,
“OS
Platform
Statistics”,
Retrieved
from
http://www.w3schools.com on 10 March 2010
L. Wang and P. Dasgupta, “Kernel and Application Integrity
Assurance: Ensuring Freedom from Rootkits and Malware in a
Computer System”, Proceedings of the 21st International Conference
on Advanced Information Networking and Applications Workshops,
2007, IEEE Computer Society
Symantec, “Cyber Crime has Surpassed Illegal Drug Trafficking as a
Criminal Moneymaker; 1 in 5 will become a Victim”, Symantec
Corporation Press Release, Retrieved from http://www.symantec.com
on 5 December 2009
McAfee, “Rootkits - Part 1 of 3: The Growing Threat”, McAfee Inc.,
Apr. 2006
G. Hoglund and J. Butler, “Rootkits: Subverting the Windows
Kernel”, Addison-Wesley Software Security Series, Pearson
Education Inc., 2006
K. Kasslin, M. Stahlberg, S. Larvala, and A. Tikkanen, “Hide 'N Seek
Revisited - Full Stealth is Back”, Proceedings of the 15th
International Virus Bulletin Conference, 2005, Dublin, Ireland
D. Ladd, “News Briefs”, IEEE Security and Privacy, March/April
2007, IEEE Computer Society
Y. Ben-Itzhak, “Defending Your Organization Against the New
Generation of Web-Based Hybrid”, Infosecurity, Volume 4, Number
3, 2007, pp. 42-43
X. Zhang and K. C. Tadi, “Modeling Virus and Antivirus Spreading
Over Hybrid Wireless Ad Hoc and Wired Networks”, Proceeding of
the IEEE Global Telecommunications Conference, 2007, USA
P. Wollacott, “Cybercrime Comes of Age”, ITNOW, Vol. 49, No. 2,
2007, pp. 6-7, The British Computer Society, Oxford University Press
OECD, “Malicious Software (Malware): A Security Threat to the
Internet Economy”, Organization for Economic Co-operation and
Development, June 2008, OECD Ministrial Meeting on the Future of
the Internet Economy
M. Davis, S. Bodmer and A. LeMasters, “Hacking Exposed Malware
and Rootkits: Malware and Rootkits Secrets and Solutions”,
McGraw-Hill Osborne Media, 2010
J. Butler and S. Sparks, “Windows Rootkits of 2005”, Security Focus,
Retrieved from http://www.securityfocus.com on 12 March 2010
J. Allchin, “Security Features Versus Convenience”, The Windows
Blog, Microsoft Corporation, 23 January 2007, Retrieved from
http://windowsteamblog.com on 12 March 2010
McAfee, “Rootkits - Part 1 of 3: The Growing Threat”, McAfee Inc.,
Apr. 2006
D. K. Mulligan and A. K. Perzanowski, “The Magnificance of the
Disaster: Reconstructing the Sony BMG Rootkit Incident”, Berkley
Technology Law Journal, Vol. 22, p. 1157, 2007

19] J. A. Halderman and E. W. Felten, “Lessons from the Sony DRM
Episode”, Proceedings of the 15th USENIX Security Symposium, pp.
77-92, 2006
[20] J. Bickford, R. O’Hare, A. Baliga, V. Ganapathy and L. Iftode,
“Rootkits on Smart Phones: Attacks, Implications and Opportunities”,
Proceedings of the Eleventh Workshop on Mobile Computing
Systems & Applications, ACM, pp. 49-54, Annapolis, Maryland,
USA, 2010
[21] A. Emigh, “The Crimeware Landscape: Malware, Phishing, Identity
Theft and Beyond”, Journal of Digital Forensic Practice, Vol. 1, No.
3, September 2006, pp. 245-260
[22] Microsoft Support, “Frequently asked questions about Ctfmon.exe”,
29 January 2007, Retrieved from http://support.microsoft.com on 15
March 2010
[23] McAfee, “W32/Feebs!rootkit”, Retrieved from http://vil.nai.com on
15 March 2010
[24] S. Anson and S. Bunting, “Mastering Windows Network Forensics
and Investigation”, Wiley Publishing, 2007
[25] Sophos, “W32/Feebs-Gen”, Retrieved from http://www.sophos.com
on 15 March 2010
[26] Microsoft Support, “Description of the Windows File Protection
Feature”,
11
September
2009,
Retrieved
from
http://support.microsoft.com on 18 March 2010
[27] P. Dabak, S. Phadke and M. Borate, “Undocumented Windows NT”,
Hungry Minds, 1999
[28] M. E. Russinovich and D. A. Solomon, “Microsoft Windows
Internals”, 4th Edition, Microsoft Press, 2005
[29] C. Ries, “Inside Windows Rootkits”, VigilantMinds, 2006
[30] Daymix, “Kernel Computing”, Retrieved from http://daymix.com on
12 April 2010
[31] Windows Hardware Developer Central, “Kernel Patch Protection:
Frequently Asked Questions”, 22 January 2007, Retrieved from
http://www.microsoft.com on 19 March 2010
[32] M. Oiaga, “Windows vs. Rootkits: The root(kit) of all evil”, 20
February 2010, Retrieved from http://news.softpedia.com on 20
March 2010
[33] J. Richter, “Programming Applications for Microsoft Windows”,
Microsoft Press, 1999
[34] S. Sparks, S. Embleton and C. Zou, “Windows Rootkits: A Game of
Hide and Seek”, School of Electrical Engineering and Computer
Science, University of Central Florida, USA [n.d.]
[35] McAfee, “Buffer Overflow Exploits: The Why and How”, McAfee
System Protection Solutions, April 2005
[36] H. M. Deitel, P. J. Deitel and D. R. Choffnes, “Operating Systems,
Third Edition”, Prentice Hall, 2004
[37] C. Mitchell, “Trusted Computing Platforms: Intel’s Trusted
eXectuion Technology (TXT)”, Information Security Group, Royal
Holloway
University
of
London,
Retrieved
from
http://www.isg.rhul.ac.uk on 1 April 2010
[38] WarpSpeed Computers, “Presentation Device Driver Reference for
OS/2”, Retrieved from http://www.warpspeed.com.au on 2 April
2010
[39] B. Blunder, “The Rootkit Arsenal: Escape and Evasion in the Dark
Corners of the System”, Wordware Publishing, 2009
[40] K. Kubicki, “CPU & Chipset: A bit about the NX bit; Virus
Protection Woes”, AnandTech Incorporated, 11 October 2004,
Retrieved from http://www.anandtech.com on 8 April 2010
[41] M. Howard, “Address Space Layout Randomization in Windows
Vista”, Microsoft Corporation, 26 May 2006, Retrieved from
http://blogs.msdn.com on 8 April 2010
[42] M. Howard and M. Thomlinson, “Windows Vista ISV Security”,
Microsoft
Corporation,
April
2007,
Retrieved
from
http://msdn.microsoft.com on 26 March 2010
[43] W. Moses, “Security Watch: Services Hardening in Windows Vista”,
TechNet Magazine, Microsoft Corporation, January 2007

[44] Authentium, “Microsoft Patchguard and Authentium”, Authentium
Virus Blog: Authentium Malware Information Exchange Portal, 25
October 2006, Retrieved from http://blogs.authentium.com on 11
April 2010
[45] Skywing, “PatchGuard Reloaded: A Brief Analysis of PatchGuard
Version 3”, Uninformed Journal, Volume 8, September 2007
[46] Google, “The Chromium Projects: Security Overview”, Retrieved
from http://www.chromium.org on 11 April 2010
[47] M. Jakobsson and Z. Ramzan, “Crimeware: Understanding New
Attacks and Defenses”, Addison Wesley, Symantec Press, 2008
[48] M. Savage, “The Banking Malware Scourge”, Information Security,
May 2010
[49] comScore “comScore Reports February 2010 U.S. Mobile Subscriber
Market
Share”,
5
April
2010,
Retrieved
from
http://www.comscore.com on 18 May 2010
[50] Cisco, “Linux/Unix: Telnet Daemon Buffer Overflow Vulnerability”,
Cisco Systems Inc., 6 October 2004, Retrieved from http://cisco.com
on 12 June 2010

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

ADVANCED MAC OS X ROOTKITS

DINO A. DAI ZOVI
DDZ@THETA44.ORG

1. Apple, kextstat, http://www.opensource.apple.com/source/kext tools/kext tools-
117.4/kextstat main.c.
2. Joseph Boykin, David Kirschen, Alan Langerman, and Susan LoVerso, Program-
ming under mach, Addison-Wesley Professional, 1993.
3. Dino A. Dai Zovi, Trail of bits, http://trailofbits.com/.
4. Joseph Kong, Designing bsd rootkits, No Starch Press, 2007.
5. Charlie Miller and Dino A. Dai Zovi, The mac hacker’s handbook, Wiley, 2009.
6. nemo, Weaponx, http://packetstormsecurity.org/UNIX/penetration/rootkits/wX.tar.gz.
7. Amit Singh, Mac os x internals, Addison-Wesley Professional, 2006.
8. wowie and ghalen, Developing mac osx kernel rootkits, Phrack 13 (2009), no. 66,
16.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

An Empirical Assessment of the Perception of Computer Security between
US and Korea : Focused on Rootkits

Ha Jin Hwang
Catholic University of Daegu
hjhwang@cu.ac.kr

[1] Digital Chosunilbo.: N. Korea's Hackers Rival CIA,
Expert Warns, 2005.
http://english.chosun.com/w21data/html/news/200506/2
00506020014.html
[2] Stars and Stripes, S. Korea Indicts U.S. Service Member
for Allegedly Hacking more than 50 Web Sites, 2001.
http://ww2.pstripes.osd.mil/01/jul01/ed072701g.html
[3] Kramarenko, Dmitri.: Hackers or Cyber-soldiers?,
Computer
Crime
Research
Center,
2003.
http://www.crime-research.org/interviews/hacker0904/
[4] Hulme, George V.: Rude Worm Insults, then Wreaks
Havoc, 2002. http://www.itnews.com.au/newsstory.aspx?
CIaNID=10532
[5] Lemos, Robert.: Web Worm Targets White House, CNet
News.com, 2001
[6] Peterson, Dane K. and Kim, Chung.: Perceptions on IS Risks
and Failure Types: A Comparison of Designers from the
United States, Japan and Korea., Journal of Global
Information Management, Jul-Sep 2003, Vol. 11 Issue 3, p19,
20p.
[7] ITIM International, 2006, http://www.geert-hofstede.com/
[8] Bento, Al and Bento, Regina.: Empirical Test of Hacking
Framework: An Exploratory Study, Communications of
the AIS, Volume 14: 678-690, 2004
[9] Shim, JP.: Korea’s Lead in Mobile Cellular and DMB
Phone Services., Communications of the Association for
Information Systems. Vol. 15, 2005
[10]
Internet
World
Stats,
2005,
http://www.internetworldstats.com/stats.htm
[11] Korean Times Technology.: The Korean Times, 2005, It’s
English. ttp://times.hankooki.com/lpage/tech/200512/kt2
005120216444111780.htm
[12] Naraine, Ryan.: When’s a Rootkit Not a Rootkit?,
eWeek.com, 2006, http://www.eweek.com/article2/0,17
59,1913083,00.asp
[13] Roberts, P. F.: Microsoft on 'Rootkits': Be Afraid, Be
very Afraid, 2005a, http://www.computerworld.com/
securitytopics/security/story/0,10801,99843,00.html
[14] Seltzer, L.: Rootkits: The Ultimate Stealth Attack. PC
Magazine, 24, 76, 2005.
[15]
Dillard, K.: What is a rootkit? from
SearchWindowsSecurity.com, 2005.
[16] Jones, MC., Arnett, KP., Tang, JTE., & Chen, NS.:
Perceptions of computer viruses a cross-cultural
assessment. Computers and Security, 12, 191-197, 1993.
[17] Schmidt, M. B., & Arnett, K. P.: Spyware: A Little
Knowledge is a Wonderful Thing. Communications of
the ACM, 48(8), 67-70., 2005.
[18] Stafford, T. F.: Spyware. Communications of the
ACM, 48(8), 34-35, 2005.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

A Rule-based Approach for Rootkit Detection

Jianxiong Wang
College of Geology Engineering and Geomatics, Chang’an University, Xi’an, China
jianxiongw@126.com

E. Lacombe, F. Raynal, V. Nicomette, Rootkit modeling and
experiments under Linux, Journal in Computer Virology, vol. 4, no. 2,
2008, pp:137-157.
J. F. Levine, J. B. Grizzard, H. L. Owen, Detecting and categorizing
kernel-level rootkits to aid future detection, IEEE Security & Privacy,
vol. 4 issue 1. 2006, pp:24-32.
F. M. David, E. M. Chan, J. C. Carlyle et al.. Cloaker: Hardware
Supported Rootkit Concealment. IEEE Symposium on Security and
Privacy, 2008, Oakland, CA, pp: 296-310.
S. T. King, J. Tucek, A. Cozzie et al.. Designing and Implementing
Malicious
Hardware.
USENIX’08,
http://www.usenix.org/event/leet08/tech/full_papers/king/king.pdf.
SELinux Progject: www.nsa.gov/research/selinux.
G. Kim and E. Spafford. The Design and Implementation of Tripwire:
A File System Integrity Checker. Technical report, Purdue University,
Nov. 1993.
R. Sailer, X. L. Zhang, T. Jaeger et al.. Design and Implementation of
a TCG-based Integrity Measurement Architecture. In Proceedings of
the 13th USENIX Security Symposium, 2004.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Exploring Rootkit Detectors’ Vulnerabilities Using a New Windows Hidden Driver
Based Rootkit

Woei-Jiunn Tsaur Yuh-Chen Chen
Department of Information Management Department of Information Management
Da-Yeh University Da-Yeh University
Changhua, Taiwan, R.O.C. Changhua, Taiwan, R.O.C.
e-mail: wjtsaur@yahoo.com.tw

E. W. Felten and J. A. Halderman, “Digital rights management,
spyware and security,” IEEE Security & Privacy, vol. 4, no. 1, pp. 18-
23, 2006.
G. Hoglund and J. Butler, Rootkits: Subverting the Windows Kernel,
Addison-Wesley, 2005.
G. H. Kim and E. H. Spafford, “The design and implementation of
Tripwire: a file system integrity checker,” in Proc. the 2nd ACM
Conference on Computer and Communications Security, pp. 18-29,
1994.
Rootkit, http://www.rootkit.com, 2010.
K. Chian and L. Lloyd, “A case study of the Rustock rootkit and
spam bot,” in Proc. USENIX First Workshop on Hot Topics in
Understanding Bonets, pp. 10-18, 2007.
E. Florio, “When malware meets rootkits,” White Paper, Symantec,
2005.
J. G. Levine, J. B. Grizzard and H. L. Owen, “Detecting and
categorizing kernel-level rootkits to aid future detection,” IEEE
Security & Privacy, vol. 4, no. 1, pp. 24-32, 2006.
McAfee, “Rootkits, Part 1 of 3: the growing threat,” White Paper,
McAfee, 2006.
A. Baliga, P. Kamat and L. Iftode, “Lurking in the shadows:
identifying systemic threats to kernel data,” in Proc. the 2007 IEEE
Symposium on Security and Privacy, pp. 246-251, 2007.
A. Baliga, L. Iftode and X. Chen, “Automated containment of rootkits
attacks,” Computers & Security, vol. 27, Issues 7-8, pp. 323-334,
2008.
M. Christodorescu, S. Jha, S. Seshia, D. Song and R. Bryant,
“Semantics-aware malware detection,” in Proc. the 2005 IEEE
Symposium on Security and Privacy, pp. 32-46, 2005.
S. T. King et al., “SubVirt: implementing malware with virtual
machines,” in Proc. the 2006 IEEE Symposium on Security and
Privacy, pp. 314-327, 2006.
C. Kruegel, W. Robertson and G. Vigna, “Detecting kernel-level
rootkits through binary analysis,” in Proc. the 20th Annual Computer
Security Applications Conference (ACSAC’04), pp. 91- 100, 2004.
N. L. Petroni Jr., T. Fraser, A. Walters and W. Arbaugh, “An
architecture for specification-based detection of semantic integrity
violations in kernel dynamic data,” in Proc. the 15th USENIX
Security Symposium, pp. 289-304, 2006.
N. L. Petroni Jr. and M. Hicks, “Automated detection of persistent
kernel control-flow attacks,” in Proc. the ACM Conference on
Computer and Communications Security (CCS), pp. 103-115, 2007.
J. Rhee, R. Riley, D. Xu and X. Jiang, “Defeating dynamic data
kernel rootkit attacks via VMM-based guest-transparent monitoring,”
in Proc. the 4th International Conference on Availability, Reliability
and Security, pp. 74-81, 2009.
Y. Wang, D. Beck, B. Vo, R. Roussev and C. Verbowski, “Detecting
stealth software with Strider GhostBuster,” in Proc. the 2005
International Conference on Dependable Systems and Networks
(DSN’05), pp. 368-377, 2005.
Y. Wen, J. Zhao, H. Wang and J. Cao, “Implicit detection of hidden
processes with a feather-weight hardware-assisted virtual machine
monitor,” in Proc. the 13th Australasian Conference on Information
Security and Privacy, LNCS 5107, pp. 361-375, 2008.
Y. Wen, J. Zhao and H. Wang, “Implicit detection of hidden
processes with a local-booted virtual machine,” International Journal
of Security and Its Applications, vol. 2, no. 4, pp. 39-48, 2008.
C. Xuan, J. Copeland and R. Beyah, “Shepherding loadable kernel
modules through on-demand emulation,” in Proc. the 6th
International Conference on Detection of Intrusions and Malware,
and Vulnerability Assessment, pp. 48–67, 2009.
E. U. Kumar, “Battle with the unseen
understanding rootkits on
Windows,” in Proc. the 9th AVAR International Conference, pp. 82-
97, 2006.
C. Ries, Inside Windows Rootkits, VigilantMinds Inc, 2006.
L. Stevenson and N. Altholz, Rootkits for Dummies, Wiley
Publishing, 2007.

NT Rootkit,
http://www.rootkit.com/board_project_fused.php?did=proj11, 2010.
[25] C. Keong, “Defeating kernel native API hookers by direct service
dispatch table restoration,” Technical Report, SIG2 G-TEC Lab, 2004.
[26] G. Hunt and D. Brubacker, “Detours: binary interception of Win32
functions,” in Proc. the Third USENIX Windows NT Symposium, pp.
135-143, 1999.
[27] VICE, http://www.rootkit.com/board_project_fused.php?did=proj20,
2010.
[28] P. Beaucamps, “Advanced polymorphic techniques,” International
Journal of Computer Science, vol. 2, no. 3, pp. 194-205, 2007.
[29] J. Bulter, J. L. Undercoffer and J. Pinkston, “Hidden process: the
implication for intrusion detection,” in Proc. the IEEE International
Workshop on Information Assurance, pp. 116-121, 2003.
[30] Antirootkit, http://www.antirootkit.com, 2010.
[31] RootkitBuster, http://www.trendmicro.com/, 2010.
[32] Tucan, http://www.pandasecurity.com/, 2010.
[33] A. Schuster, “Searching for processes and threads in Microsoft
Windows memory dumps,” Digital Investigation: The International
Journal of Digital Forensics & Incident Response, vol. 3, no.1, pp.
10-16, 2006.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

Guest-Transparent Prevention of Kernel
Rootkits with VMM-Based Memory Shadowing

Ryan Riley1 , Xuxian Jiang2 , and Dongyan Xu1
1
2
CERIAS and Department of Computer Science, Purdue University
{rileyrd,dxu}@cs.purdue.edu
Department of Computer Science, North Carolina State University
jiang@cs.ncsu.edu

[1] Jiang, X., Wang, X., Xu, D.: Stealthy Malware Detection through VMM-Based
“Out-of-the-Box” Semantic View Reconstruction. In: Proceedings of the ACM Con-
ference on Computer and Communications Security (CCS 2007) (October 2007)
[2] Petroni Jr., N.L., Fraser, T., Walters, A., Arbaugh, W.A.: An Architecture for
Specification-based Detection of Semantic Integrity Violations in Kernel Dynamic
Data. In: Proceedings of the 15th USENIX Security Symposium (2006)
[3] Petroni Jr., N.L., Hicks, M.: Automated Detection of Persistent Kernel Control-
Flow Attacks. In: Proceedings of the ACM Conference on Computer and Com-
munications Security (CCS 2007) (October 2007)
[4] Petroni, N., Fraser, T., Molina, J., Arbaugh, W.: Copilot: A Coprocessor-based
Kernel Runtime Integrity Monitor. In: Proceedings of the 13th USENIX Security
Symposium, pp. 179–194 (2004)
[5] Wilhelm, J., Chiueh, T.-c.: A Forced Sampled Execution Approach to Kernel
Rootkit Identification. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID
2007. LNCS, vol. 4637, pp. 219–235. Springer, Heidelberg (2007)
[6] Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architec-
ture for Intrusion Detection. In: Proc. Network and Distributed Systems Security
Symposium (NDSS 2003) (February 2003)
[7] Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: A Tiny Hypervisor to Guar-
antee Lifetime Kernel Code Integrity for Commodity OSes. In: Proceedings of the
ACM Symposium on Operating Systems Principles (SOSP 2007) (October 2007)
[8] Bellard, F.: QEMU: A Fast and Portable Dynamic Translator. In: Proceedings of
the USENIX Annual Technical Conference, FREENIX Track, pp. 41–46 (2005)
[9] Innotek: Virtualbox (Last accessed, September 2007),
http://www.virtualbox.org/
[10] Intel: Vanderpool Technology (2005),
http://www.intel.com/technology/computing/vptech
[11] AMD: AMD64 Architecture Programmer’s Manual Volume 2: System Program-
ming, 3.12 edition (September 2006)
[12] Dunlap, G., King, S., Cinar, S., Basrai, M., Chen, P.: ReVirt: Enabling Intrusion
Analysis through Virtual Machine Logging and Replay. In: Proc. USENIX Sym-
posium on Operating Systems Design and Implementation (OSDI 2002) (2002)
[13] Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., Boneh, D.: Terra: A Virtual
Machine-Based Platform for Trusted Computing. In: Proc. of ACM Symposium
on Operating System Principles (SOSP 2003) (October 2003)
[14] Jiang, X., Wang, X.: “Out-of-the-Box” Monitoring of VM-Based High-Interaction
Honeypots. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS,
vol. 4637, pp. 198–218. Springer, Heidelberg (2007)
[15] Joshi, A., King, S., Dunlap, G., Chen, P.: Detecting Past and Present Intrusions
through Vulnerability-specific Predicates. In: Proc. ACM Symposium on Operat-
ing Systems Principles (SOSP 2005), pp. 91–104 (2005)
[16] Riley, R., Jiang, X., Xu, D.: Guest-Transparent Prevention of Kernel Rootkits
with VMM-based Memory Shadowing. Technical report CERIAS TR 2001-146,
Purdue University
[17] Arbaugh, W.A., Farber, D.J., Smith, J.M.: A Secure and Reliable Bootstrap Ar-
chitecture. In: Proceedings of IEEE Symposium on Security and Privacy, May
1997, pp. 65–71 (1997)
[18] sd, devik: Linux on-the-fly Kernel Patching without LKM. Phrack 11(58) Article 7
[19] fuzen op: Fu rootkit (Last accessed, September 2007), http://www.rootkit.
com/project.php?id=12
20
R. Riley, X. Jiang, and D. Xu
[20] Shacham, H.: The Geometry of Innocent Flesh on the Bone: Return-into-libc
without Function Calls (on the x86). In: Proceedings of the ACM Conference on
Computer and Communications Security (CCS 2007) (October 2007)
[21] Chen, S., Xu, J., Sezer, E.C., Gauriar, P., Iyer, R.: Non-Control-Data Attacks
Are Realistic Threats. In: Proceedings of the 14th USENIX Security Symposium
(August 2005)
[22] Baliga, A., Kamat, P., Iftode, L.: Lurking in the Shadows: Identifying Systemic
Threats to Kernel Data. In: Proc. of IEEE Symposium on Security and Privacy
(Oakland 2007) (May 2007)
[23] Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control Flow Integrity: Princi-
ples, Implementations, and Applications. In: Proc. ACM Conference on Computer
and Communications Security (CCS 2005) (November 2005)
[24] Grizzard, J.B.: Towards Self-Healing Systems: Re-establishing Trust in Compro-
mised Systems. Ph.D. Thesis, Georgia Institute of Technology (May 2006)
[25] Castro, M., Costa, M., Harris, T.: Securing Software by Enforcing Data-Flow
Integrity. In: Proc. of USENIX Symposium on Operating Systems Design and
Implementation (OSDI 2006) (2006)
[26] Klein, T.: Scooby Doo - VMware Fingerprint Suite (2003),
http://www.trapkit.de/research/vmm/scoopydoo/index.html
[27] Rutkowska, J.: Red Pill: Detect VMM Using (Almost) One CPU Instruction (No-
vember 2004), http://invisiblethings.org/papers/redpill.html
[28] F-Secure Corporation: Agobot, http://www.f-secure.com/v-descs/agobot.shtml
[29] Kortchinsky, K.: Honeypots: Counter Measures to VMware Fingerprinting (Jan-
uary 2004), http://seclists.org/lists/honeypots/2004/Jan-Mar/0015.html
[30] Liston, T., Skoudis, E.: On the Cutting Edge: Thwarting Virtual Machine
Detection (2006), http://handlers.sans.org/tliston/ThwartingVMDetection
Liston Skoudis.pdf
[31] Chen, X., Garfinkel, T., Lewis, E.C., Subrahmanyam, P., Waldspurger, C.A.,
Boneh, D., Dwoskin, J., Ports, D.R.K.: Overshadow: A Virtualization-Based Ap-
proach to Retrofitting Protection in Commodity Operating Systems. In: Proc. of
the 13th Conference on Architectural Support for Programming Languages and
Operating Systems (ASPLOS 2008) (March 2008)
[32] Microsoft Corporation: Driver Signing for Windows,
http://www.microsoft.com/resources/documentation/windows/xp/all/
proddocs/en-us/code signing.mspx?mfr=true
[33] Kruegel, C., Robertson, W., Vigna, G.: Detecting Kernel-Level Rootkits Through
Binary Analysis. In: Yew, P.-C., Xue, J. (eds.) ACSAC 2004. LNCS, vol. 3189,
pp. 91–100. Springer, Heidelberg (2004)
[34] Zhang, X., van Doorn, L., Jaeger, T., Perez, R., Sailer, R.: Secure Coprocessor-
based Intrusion Detection. In: Proceedings of the 10th ACM SIGOPS European
Workshop, pp. 239–242 (2002)
[35] Wang, Y.M., Beck, D., Vo, B., Roussev, R., Verbowski, C.: Detecting Stealth
Software with Strider GhostBuster. In: Proc. IEEE International Conference on
Dependable Systems and Networks (DSN 2005), pp. 368–377 (2005)
[36] Kennell, R., Jamieson, L.H.: Establishing the Genuinity of Remote Computer
Systems. In: Proc. of the 12th USENIX Security Symposium (August 2003)
[37] Sailer, R., Jaeger, T., Zhang, X., van Doorn, L.: Attestation-based Policy En-
forcement for Remote Access. In: Proc. of ACM Conference on Computer and
Communications Security (CCS 2004) (October 2004)
[38] Sailer, R., Zhang, X., Jaeger, T., van Doorn, L.: Design and Implementation of a
TCG-based Integrity Measurement Architecture. In: Proc. of the 13th USENIX
Security Symposium (August 2004)

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

On Rootkit and Malware Detection in Smartphones

Bryan Dixon
Department of Computer Science
University of Colorado at Boulder
Boulder, CO 80309-0430, USA
bryan.dixon@cs.colorado.edu
Shivakant Mishra
Department of Computer Science
University of Colorado at Boulder
Boulder, CO 80309-0430, USA
mishras@cs.colorado.edu

[1] J. Bickford et al. Rootkits on Smart Phones: Attacks, Impli-
cations and Opportunities. In HotMobile 2010.
[2] A. Bose. Propagation, Detection and Containment of Mobile
Malware. PhD thesis, The University of Michigan, 2008.
[3] A. Kushnerov.
Smart phone under threat of at-
tacks. http://www.theticker.org/about/2.8220/smart-phone-
under-threat-of-attacks-1.2174454, March 2010.
[4] N. Petroni et al. Copilot - a Coprocessor-based Kernel Run-
time Integrity Monitor. In 2004 USENIX Security Symposium.
[5] M. Williamson et al. Throttling viruses: Restricting propaga-
tion to defeat malicious mobile code. In 2002 CSAC.
[6] L. Xie et al. Designing System-level Defenses against Cell-
phone Malware. In SRDS 2009.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

SSL-DP: A Rootkit of Network Based SSL and TLS
Traffic Decryptor

[1]
Moxie Marlinspike, New Tricks For Defeating SSL In Practice.
BlackHat 2009, Washington DC. Dec. 2009
[2] Burkholder, Peter. "SSH and SSL for SysAdmins," 24 January 2002.
[3] Ellison, C. and B. Schneier. "Ten Risks of PKI: What You're Not Being
Told About Public Key Infrastructure," Computer Security Journal, v 16,
n 1, 2000, pp. 1-7.
[4] Esser, Stefan. "IE https certificate attack," 22 December 2001.
[5] Internet Explorer SSL Vulnerability, Webpage 2002-08-05, Retrieved
2002-09,
http://online.securityfocus.com/archive/1/286290/2002-08-
05/2002-08-07/2.
[6] Cafarelli, D. Personal communications. Dierks, T. and Allen, C.. The
TLS Protocol, Version 1.0. Internet Engineering Task Force. RFC-2246,
ftp://ftp.isi.edu/in-notes/rfc2246.txt.
[7] Definition of man-in-the-middle, Webpage 2002-03-26, Retrieved 2002-
09, http://www.wordspy.com/words/maninthemiddleattack.asp.
[8] Eric Rescorla (2009-11-05). "Understanding the TLS Renegotiation
Attack". Educated Guesswork. http://www.educatedguesswork.org/
2009/11/understanding_the_tls_renegoti.html. Retrieved 2009-11-27.
[9] McMillan, Robert (2009-11-20). "Security Pro Says New SSL Attack
Can Hit Many Sites". PC World. http://www.pcworld.com/article/
182720/security_pro_says_new_ssl_attack_can_hit_many_sites.html.
Retrieved 2009-11-27.
[10] Bugzilla@Mozilla - Bug 236933 - Disable SSL2 and other weak
ciphers. Mozilla Corporation. https://bugzilla.mozilla.org/show_bug.cgi?
id=236933. Retrieved 2007-11-25.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

UNIX and Linux based
Kernel Rootkits

Feedback / rootkits: bunten@dfn-cert.de

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

UNIX and Linux based Rootkits
Techniques and Countermeasures

Andreas Bunten
DFN-CERT Services GmbH
Heidenkampsweg 41
D-20097 Hamburg
bunten@dfn-cert.de

[Aide2004] R. Lehti; P. Virolainen, Homepage Aide, http://www.cs.tut.fi/~rammer/
aide.html, 2004.
[BC2002] D. Bovet; M. Cesati, Understanding the Linux Kernel, 2nd Edition. O‘Reilly.
ISBN-0596002130, 2002.
[BTA1989] “Black Tie Affair”, Hiding Out Under Unix. Phrack Magazin, Issue 25, Vol. 3,
File 6. http://www.phrack.org/phrack/25/P25-06, 1989.
[Bach1986] M. Bach, The Design of the UNIX Operating System. Prentice-Hall. ISBN-
0132017997, 1986.
16
[CERT2000] CERT Coordination Center, CERT/CC Incident Note IN-2000-
10: Widespread Exploitation of rpc.statd and wu-ftpd Vulnerabilities, http:
//www.cert.org/incident_notes/IN-2000-10.html, 2000.
[Chk2004] , N. Murilo; K. Steding-Jessen Homepage Chkrootkit, http://www.
chkrootkit.org, 2004.
[Ditt2002] D. Dittrich, “Root Kits” and hiding files/directories/processes after a break-in.
http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq, 2002.
[Fusy2002] “Fusys”, Homepage kstat, http://www.s0ftpj.org/en/tools.html, 2002.
[Half1997] “Halflife”, Abuse of the Linux Kernel for Fun and Profit. Phrack Magazin, Issue
50, Vol. 7, File 5. http://www.phrack.org/phrack/50/P50-05, 1997.
[Hogl1999] G. Hoglund, A real NT Rootkit, patching the NT Kenerl. Phrack Magazin, Issue
55, Vol. 9, File 5. http://www.phrack.org/phrack/55/P55-06, 1999.
[Jbtz2002] “jbtzhm”, Static Kernel Patching. Phrack Magazin, Issue 60, Vol. 11, File 8.
http://www.phrack.org/phrack/60/p60-0x08, 2002.
[PlT1999] “Plasmoid”; “THC”, Solaris Loadable Kernel Modules: “Attacking Solaris
with loadable kernel modules”. http://packetstormsecurity.nl/groups/thc/
slkm-1.0.html, 1999.
[PrT1999] “Pragmatic”; “THC”, Attacking FreeBSD with Kernel Modules, http://www.
thehackerschoice.com/papers/bsdkern.html, 1999.
[Rkh2004] , M. Boelen; S. Dudzinski Homepage Rootkit Hunter, http://www.rootkit.
nl/projects/rootkit_hunter.html, 2004.
[Rutk2002] J. K. Rutkowski, Execution Path Analysis: finding kernel based rootkits.
Phrack Magazin, Issue 59, Vol. 11, File 10. http://www.phrack.org/phrack/59/
p59-0x0b.txt, 2002.
[SD2001] “SD”; “Devik”, Linux on-the-fly kernel patching without LKM. Phrack Magazin,
Issue 58, Vol. 10, File 7. http://www.phrack.org/phrack/58/p58-0x07, 2001.
[Skou2003] E. Skoudis, Malware. Fighting malicious Code. Prentice-Hall. ISBN-
0131014056, 2003.
[Teso2003] “team teso”, Codeflow Analyse. Vortrag auf dem 19. Chaos Communications
Congress, Berlin. http://www.team-teso.net/articles/19c3-speech/, 2003.
[tr2003] “truff”, Infecting loadable kernel modules. Phrack Magazin, Issue 61, Vol. 11,
File 10. http://www.phrack.org/phrack/61/p61-0x0a_Infecting_Loadable_
Kernel_Modules.txt,2003.