Discovery of kernel rootkits with memory scan

US 8,572,371 B2
Filed: 10/05/2005
Issued: 10/29/2013
Est. Priority Date: 10/05/2005
Status: Active Grant

First Claim

Patent Images

1. A method of detecting kernel level rootkits, comprising:

hooking a kernel level detector into loading procedures of an operating system of a processor;

in response to detecting a particular event comprising the installation of a new device driver by the operating system, using the kernel level detector to scan, with the processor, a kernel memory, the kernel level detector being located in a kernel space and including kernel level code that is stored and executed in the kernel space; and

comparing, with the processor, the kernel memory to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method are provided for detecting kernel level rootkits including scanning a kernel memory using a kernel level detector. The kernel level detector includes kernel level code executing in kernel space. The kernel memory is compared to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory.

25 Citations

View as Search Results

41 Claims

1. A method of detecting kernel level rootkits, comprising:
- hooking a kernel level detector into loading procedures of an operating system of a processor;
  
  in response to detecting a particular event comprising the installation of a new device driver by the operating system, using the kernel level detector to scan, with the processor, a kernel memory, the kernel level detector being located in a kernel space and including kernel level code that is stored and executed in the kernel space; and
  
  comparing, with the processor, the kernel memory to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 31, 34)
- - 2. The method of claim 1, wherein the rootkit signature corresponds with a rootkit and the presence of the rootkit signature in the kernel memory indicates the presence of the rootkit.
  - 3. The method of claim 2, further comprising alerting an administrator of the presence of the rootkit.
  - 4. The method of claim 2, further comprising:
    - obtaining instructions on how to remove the rootkit; and
      
      removing the rootkit.
  - 5. The method of claim 1, further comprising loading the rootkit signature file from a storage location external to the kernel memory.
  - 6. The method of claim 5, wherein the rootkit signature file is loaded by a kernel level driver of the kernel level detector.
  - 7. The method of claim 1, wherein scanning the kernel memory with the kernel level detector occurs at periodic intervals.
  - 8. The method of claim 1, wherein scanning the kernel memory with the kernel level detector occurs automatically.
  - 9. The method of claim 1, wherein scanning the kernel memory with the kernel level detector occurs each time a new device driver is loaded.
  - 10. The method of claim 1, further comprising directly linking a kernel level driver of the kernel level detector to a kernel such that a malicious driver does not prevent the kernel level driver from loading without replacing the kernel.
  - 31. The method of claim 1, further comprising:
    - providing an operating system having at least a first operating space and a second operating space, the first operating space comprising a user space executing one or more user processes, the second operating space comprising a kernel space executing one or more kernel processes, andwherein scanning the kernel memory comprises executing the kernel level code as a kernel process in the second operating space comprising the kernel space.
  - 34. The method of claim 31, wherein the kernel level detector is located in a kernel space and includes the kernel level code, the kernel level code being stored and executed in the kernel space.

11. A system for detecting kernel level rootkits, comprising:
- a non-transitory computer readable storage medium operable to store a rootkit signature file corresponding to a rootkit signature; and
  
  a processor operable to hook a kernel level detector into loading procedures of an operating system of the processor and scan a kernel memory with the kernel level detector in response to detecting a particular event comprising installation of a new device driver by the operating system, the kernel level detector operable to compare the kernel memory to the rootkit signature file to determine if the rootkit signature is present in the kernel memory, the kernel level detector being located in a kernel space and including kernel level code that is stored and executed in the kernel space.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 32)
- - 12. The system of claim 11, wherein the rootkit signature corresponds with a rootkit and the presence of the rootkit signature in the kernel memory indicates the presence of the rootkit.
  - 13. The system of claim 12, further comprising an alert message to inform an administrator of the presence of the rootkit.
  - 14. The system of claim 12, wherein the kernel level detector includes instructions on how to remove the rootkit.
  - 15. The system of claim 11, wherein the non-transitory computer readable storage medium is external to the kernel memory from which the rootkit signature file is loaded.
  - 16. The system of claim 15, further comprising a kernel level driver of the kernel level detector operable to load the rootkit signature file.
  - 17. The system of claim 11, wherein the kernel level detector is operable to scan the kernel memory at periodic intervals.
  - 18. The system of claim 11, wherein the kernel level detector is operable to scan the kernel memory automatically.
  - 19. The system of claim 11, wherein the kernel level detector scans the kernel memory each time a new device driver is loaded.
  - 20. The system of claim 11, further comprising a kernel level driver of the kernel level detector, the kernel level driver being linked directly into a kernel such that a malicious driver does not prevent the kernel level driver from loading without replacing the kernel.
  - 32. The system of claim 11, wherein:
    - the processor comprises an operating system having at least a first operating space and a second operating space, the first operating space comprising a user space executing one or more user processes, the second operating space comprising a kernel space executing one or more kernel processes, andthe processor is operable to scan the kernel memory by executing the kernel level code as a kernel process in the second operating space comprising the kernel space.

21. A system for detecting kernel level rootkits, comprising:
- a hardware microprocessor operable to hook a kernel level detector into loading procedures of an operating system of the hardware microprocessor and scan a kernel memory using the kernel level detector in response to detecting a particular event comprising an installation of a new device driver by the operating system, the kernel level detector being located in a kernel space and including kernel level code that is stored and executed in the kernel space; and
  
  the hardware microprocessor further operable to compare the kernel memory to at least one rootkit signature file to determine if a rootkit signature corresponding to the rootkit signature file is present in the kernel memory.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 33)
- - 22. The system of claim 21, wherein the rootkit signature corresponds with a rootkit and the presence of the rootkit signature in the kernel memory indicates the presence of the rootkit.
  - 23. The system of claim 22, the hardware microprocessor further operable to alert an administrator of the presence of the rootkit.
  - 24. The system of claim 22, the hardware microprocessor further operable to:
    - obtain instructions on how to remove the rootkit; and
      
      remove the rootkit.
  - 25. The system of claim 21, the hardware microprocessor further operable to load the rootkit signature file from a storage location external to the kernel memory.
  - 26. The system of claim 25, wherein the rootkit signature file is loaded by a kernel level driver of the kernel level detector.
  - 27. The system of claim 21, wherein scanning the kernel memory with the kernel level detector occurs at periodic intervals.
  - 28. The system of claim 21, wherein scanning the kernel memory with the kernel level detector occurs automatically.
  - 29. The system of claim 21, wherein scanning the kernel memory with the kernel level detector occurs each time a new device driver is loaded.
  - 30. The system of claim 21, the hardware microprocessor further operable to directly link a kernel level driver of the kernel level detector to a kernel such that a malicious driver does not prevent the kernel level driver from loading without replacing the kernel.
  - 33. The system of claim 21, wherein:
    - the processor comprises an operating system having at least a first operating space and a second operating space, the first operating space comprising a user space executing one or more user processes, the second operating space comprising a kernel space executing one or more kernel processes, andthe processor is operable to scan the kernel memory by executing the kernel level code as a kernel process in the second operating space comprising the kernel space.

35. A method of detecting kernel level rootkits, comprising:
- receiving a request from a user space process operating in a user space, the request requesting information from a kernel space process operating in a kernel space;
  
  using a kernel level detector comprising a processor residing in the kernel space to independently compile a list of the information requested by the user space process;
  
  comparing, by the kernel level detector comprising the processor, the independently compiled list with a list generated by a kernel level process; and
  
  detecting one or more hidden processes on the independently compiled list that is not on the list generated by the kernel level process, the one or more hidden processes indicating a presence of a rootkit in the kernel level process.
- View Dependent Claims (36, 37, 38, 39, 40)
- - 36. The method of claim 35, wherein the list of the information requested by the user space comprises a list of one or more processes operating in the user space.
  - 37. The method of claim 35, wherein the list of the information requested by the user space comprises a list of one or more open ports.
  - 38. The method of claim 35, wherein the list generated by the kernel level process comprises a list that is generated by the rootkit in the kernel level process.
  - 39. The method of claim 35, wherein:
    - the list independently compiled by the kernel level detector includes the one or more hidden processes; and
      
      the list generated by the rootkit in the kernel level process has been filtered by the rootkit such that the list generated by the rootkit does not include the one or more hidden processes.
  - 40. The method of claim 35, further comprising directly linking a kernel level driver of the kernel level detector to a kernel such that a malicious driver does not prevent the kernel level driver from loading without replacing the kernel.

41. A system for detecting kernel level rootkits, comprising:
- a non-transitory computer readable storage medium operable to store executable code for detecting kernel level rootkits; and
  
  a processor operable, when executing the executable code, to;
  
  receive a request from a user space process operating in a user space, the request requesting information from a kernel space process operating in a kernel space;
  
  use a kernel level detector comprising a processor residing in the kernel space to independently compile a list of the information requested by the user space process;
  
  compare, by the kernel level detector comprising the processor, the independently compiled list with a list generated by a kernel level process; and
  
  detect one or more hidden processes on the independently compiled list that is not on the list generated by the kernel level process, the one or more hidden processes indicating a presence of a rootkit in the kernel level process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Inventors
Gassoway, Paul A.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
LANE, GREGORY A

Application Number

US11/244,672
Publication Number

US 20070078915A1
Time in Patent Office

2,946 Days
Field of Search

380/276, 380/277, 380/278, 380/284, 380/286, 713/182, 713/183, 713/184, 713/185, 713/176, 726/28, 726/30, 726/33, 714 22- 30
US Class Current

713/165
CPC Class Codes

G06F 21/562   Static detection

G06F 21/564   by virus signature recognition

G06F 21/568   eliminating virus, restorin...

Discovery of kernel rootkits with memory scan

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Discovery of kernel rootkits with memory scan

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links