Detecting and removing rootkits from within an infected computing system
First Claim
1. A computer program product for implementing a method for a computing system to detect the presence of a rootkit in the form of rootkit code that, when executed, manipulates responses to a file system, the computing system including an operating system, a storage unit, a snapshot component configured to take a snapshot of the storage unit, and a rootkit detection component, the computer program product comprising one or more computer-readable storage media having thereon computer-executable instructions that, when executed by one or more processors of the computing system, cause the computing system to perform the method, the method comprising:
- an act of initiating a computing system shut down operation;
an act of the snapshot component pausing the shutdown operation prior to the completion of the shut down and taking a snapshot of at least a portion of the storage unit, wherein the act of the snapshot component pausing the shutdown operation prior to the completion of the shut down comprises shutting down at least one functional layer of the computing system before shutting down a device driver for the storage unit, wherein the at least one functional layer is logically positioned above the device driver;
an act of the rootkit detection component accessing an enumeration of individual files represented in the snapshot using an alternate file system I/O, wherein;
the operating system comprises the rootkit detection component;
the operating system comprises a first file system I/O;
the alternate file system I/O has a different source code implementation than the first file system I/O for interpreting file system data structures; and
an act of the rootkit detection component using the enumeration to detect the presence of a rootkit.
2 Assignments
0 Petitions
Accused Products
Abstract
A computing system configured to detect and/or remove a rootkit. For detection, a snapshot component takes a snapshot of a storage unit. A rootkit detection component accesses an enumeration of individual files stored on the storage unit using an alternative file system I/O to detect the presence of a rootkit. For removal, the location of a rootkit is identified and a computing system shutdown is initiated. A snapshot component pauses the shutdown operation prior to the completion of the shut down and takes a snapshot of a file storage unit. A rootkit repair component accesses the identified location of the portion of the file storage unit containing the rootkit and modifies the portion of the snapshot of the file storage unit so as remove the rootkit.
28 Citations
19 Claims
-
1. A computer program product for implementing a method for a computing system to detect the presence of a rootkit in the form of rootkit code that, when executed, manipulates responses to a file system, the computing system including an operating system, a storage unit, a snapshot component configured to take a snapshot of the storage unit, and a rootkit detection component, the computer program product comprising one or more computer-readable storage media having thereon computer-executable instructions that, when executed by one or more processors of the computing system, cause the computing system to perform the method, the method comprising:
-
an act of initiating a computing system shut down operation; an act of the snapshot component pausing the shutdown operation prior to the completion of the shut down and taking a snapshot of at least a portion of the storage unit, wherein the act of the snapshot component pausing the shutdown operation prior to the completion of the shut down comprises shutting down at least one functional layer of the computing system before shutting down a device driver for the storage unit, wherein the at least one functional layer is logically positioned above the device driver; an act of the rootkit detection component accessing an enumeration of individual files represented in the snapshot using an alternate file system I/O, wherein; the operating system comprises the rootkit detection component; the operating system comprises a first file system I/O; the alternate file system I/O has a different source code implementation than the first file system I/O for interpreting file system data structures; and an act of the rootkit detection component using the enumeration to detect the presence of a rootkit. - View Dependent Claims (2, 3, 4, 5, 6, 8)
-
-
7. A method for a computing system to detect the presence of a rootkit in the form of rootkit code that, when executed, manipulates responses to a file system, the computing system including, an operating system, a storage unit comprising individual files, a snapshot component configured to take a snapshot of the storage unit, and a rootkit detection component, the method comprising:
-
an act of initiating a computing system shut down operation; an act of the snapshot component pausing the shutdown operation prior to the completion of the shut down and taking a snapshot of at least a portion of the storage unit, wherein the act of the snapshot component pausing the shutdown operation prior to the completion of the shut down comprises shutting down at least one functional layer of the computing system before shutting down a device driver for the storage unit, wherein the at least one functional layer is logically positioned above the device driver; an act of the rootkit detection component accessing an enumeration of the individual files represented in the snapshot using an alternate file system I/O, wherein; the operating system comprises the rootkit detection component; the operating system comprises a first file system I/O; the alternate file system I/O has a different source code implementation than the first file system I/O for interpreting file system data structures; each application installed on the operating system, other than the rootkit detection component, uses the first file system I/O to access data and does not use the alternate file system I/O to access data; and an act of the rootkit detection component using the enumeration to detect the presence of a rootkit.
-
-
9. A computer program product for use in a computing system to remove a rootkit representing rootkit code from a storage unit, wherein the rootkit code, when executed, manipulates responses to a file system, the computing system including the storage unit, a snapshot component configured to take a snapshot of the storage unit, and a rootkit repair component, the computer program product comprising one or more computer-readable storage media having thereon computer-executable instructions that, when executed by one or more processors of the computing system, cause the computing system to perform the method, the method comprising:
-
an act of identifying a location of a rootkit; an act of initiating a computing system shut down operation; an act of the snapshot component pausing the shutdown operation prior to the completion of the shut down and taking a snapshot of at least a portion of the storage unit, wherein the act of the snapshot component pausing the shutdown operation prior to the completion of the shut down comprises shutting down at least one functional layer of the computing system before shutting down a device driver for the storage unit, wherein the at least one functional layer is logically positioned above the device driver; an act of the rootkit repair component accessing the identified location of the portion of the storage unit containing the rootkit and modifying the portion of the snapshot of the storage unit so as remove the rootkit; and an act of rebooting the computing system from the snapshot after the rootkit has been removed from the snapshot. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for a computing system to remove a rootkit representing rootkit code from a storage unit, wherein the rootkit code, when executed, manipulates responses to a file system, the computing system including the storage unit, a snapshot component configured to take a snapshot of the storage unit, and a rootkit repair component, the method comprising:
-
an act of identifying a location of a rootkit; an act of initiating a computing system shut down operation; an act of the snapshot component pausing the shutdown operation prior to the completion of the shut down and taking a snapshot of at least a portion of the storage unit, wherein the act of the snapshot component pausing the shutdown operation prior to the completion of the shut down comprises shutting down at least one functional layer of the computing system before shutting down a device driver for the storage unit, wherein the at least one functional layer is logically positioned above the device driver; an act of the rootkit repair component accessing the identified location of the portion of the storage unit containing the rootkit and modifying the portion of the snapshot of the storage unit so as remove the rootkit; and an act of rebooting the computing system from the snapshot after the rootkit has been removed from the snapshot. - View Dependent Claims (18, 19)
-
Specification