Discovery of kernel rootkits with memory scan

US 20070078915A1
Filed: 10/05/2005
Published: 04/05/2007
Est. Priority Date: 10/05/2005
Status: Active Grant

First Claim

Patent Images

1. A method of detecting kernel level rootkits, comprising:

scanning a kernel memory using a kernel level detector, the kernel level detector including kernel level code executing in a kernel space; and

comparing the kernel memory to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided for detecting kernel level rootkits including scanning a kernel memory using a kernel level detector. The kernel level detector includes kernel level code executing in kernel space. The kernel memory is compared to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory.

42 Citations

View as Search Results

30 Claims

1. A method of detecting kernel level rootkits, comprising:
- scanning a kernel memory using a kernel level detector, the kernel level detector including kernel level code executing in a kernel space; and
  
  comparing the kernel memory to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the rootkit signature corresponds with a rootkit and the presence of the rootkit signature in the kernel memory indicates the presence of the rootkit.
  - 3. The method of claim 2, further comprising alerting an administrator of the presence of the rootkit.
  - 4. The method of claim 2, further comprising:
    - obtaining instructions on how to remove the rootkit; and
      
      removing the rootkit.
  - 5. The method of claim 1, further comprising loading the rootkit signature file from a storage location external to the kernel memory.
  - 6. The method of claim 5, wherein the rootkit signature file is loaded by a kernel level driver of the kernel level detector.
  - 7. The method of claim 1, wherein scanning the kernel memory with the kernel level detector occurs at periodic intervals.
  - 8. The method of claim 1, wherein scanning the kernel memory with the kernel level detector occurs automatically.
  - 9. The method of claim 1, wherein scanning the kernel memory with the kernel level detector occurs each time a new device driver is loaded.
  - 10. The method of claim 1, further comprising directly linking a kernel level driver of the kernel level detector to a kernel such that a malicious driver may not prevent the kernel level driver from loading without replacing the kernel.

11. A system for detecting kernel level rootkits, comprising:
- a rootkit signature file corresponding to a rootkit signature; and
  
  a kernel level detector operable to scan a kernel memory and compare the kernel memory to the rootkit signature file to determine if the rootkit signature is present in the kernel memory, the kernel level detector including kernel level code executing in a kernel space.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the rootkit signature corresponds with a rootkit and the presence of the rootkit signature in the kernel memory indicates the presence of the rootkit.
  - 13. The system of claim 12, further comprising an alert message to inform an administrator of the presence of the rootkit.
  - 14. The system of claim 12, wherein the kernel level detector includes instructions on how to remove the rootkit.
  - 15. The system of claim 11, further comprising a storage location external to the kernel memory from which the rootkit signature file is loaded.
  - 16. The system of claim 15, further comprising a kernel level driver of the kernel level detector operable to load the rootkit signature file.
  - 17. The system of claim 11, wherein the kernel level detector is operable to scan the kernel memory at periodic intervals.
  - 18. The system of claim 11, wherein the kernel level detector is operable to scan the kernel memory automatically.
  - 19. The system of claim 11, wherein the kernel level detector scans the kernel memory each time a new device driver is loaded.
  - 20. The system of claim 11, further comprising a kernel level driver of the kernel level detector, the kernel level driver being linked directly into a kernel such that a malicious driver may not prevent the kernel level driver from loading without replacing the kernel.

21. A system for detecting kernel level rootkits, comprising:
- a processor operable to scan a kernel memory using a kernel level detector, the kernel level detector including kernel level code executing in a kernel space; and
  
  the processor further operable to compare the kernel memory to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The system of claim 21, wherein the rootkit signature corresponds with a rootkit and the presence of the rootkit signature in the kernel memory indicates the presence of the rootkit.
  - 23. The system of claim 22, the processor further operable to alert an administrator of the presence of the rootkit.
  - 24. The system of claim 22, the processor further operable to:
    - obtain instructions on how to remove the rootkit; and
      
      remove the rootkit.
  - 25. The system of claim 21, the processor further operable to load the rootkit signature file from a storage location external to the kernel memory.
  - 26. The system of claim 25, wherein the rootkit signature file is loaded by a kernel level driver of the kernel level detector.
  - 27. The system of claim 21, wherein scanning the kernel memory with the kernel level detector occurs at periodic intervals.
  - 28. The system of claim 21, wherein scanning the kernel memory with the kernel level detector occurs automatically.
  - 29. The system of claim 21, wherein scanning the kernel memory with the kernel level detector occurs each time a new device driver is loaded.
  - 30. The system of claim 21, the processor further operable to directly link a kernel level driver of the kernel level detector to a kernel such that a malicious driver may not prevent the kernel level driver from loading without replacing the kernel.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
Gassoway, Paul

Granted Patent

US 8,572,371 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

G06F 21/568   eliminating virus, restorin...

Discovery of kernel rootkits with memory scan

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

42 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Discovery of kernel rootkits with memory scan

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others