Different Take on the Rootkit Paradox

Friday, November 30, 2012 Posted by Corey Harrell
Jesse Kornblum’s paper “Exploiting the Rootkit Paradox with Windows Memory Analysis” explains the predicament Rootkits find themselves in. The predicament is:

        1. They want to remain hidden.

        2. They need to run.

Jesse’s paper goes into detail about this paradox so I won’t. The main point is Rootkits want to remain hidden on a system but they need to run on an operating system. If an operating system can find the Rootkit then so can an examiner. The paradox applies to all kinds of malware from data stealers to remote access Trojans to droppers.

I’ve been thinking about the Rootkit Paradox and there is another aspect to it that is important for examiners to understand. The second predicament is:

        1. They need to run.

        2. They want to remain hidden

In this case the “they” in the need to run is a piece of malware while the “they” in the want to remain hidden are Rootkits. Basically, a program needs to run in order to hide a Rootkit on a system. The program could be the Rootkit itself or a different piece of malware such as a dropper or installer. When a program runs on the system it creates artifacts showing it executed. An examiner could then look at those artifacts along with changes made to the file system (files/folders creations and modifications) to determine where the Rootkit or its components are hiding. Again this predicament applies to all kinds of malware.

The Rootkit Paradox is alive and well, and can be leveraged to find malware hiding on a system.
  1. Corey,

    Great stuff! Call it "Corey's Corollary to Jesse's Rootkit Paradox".

    This is just kind of thing that we need to see more of in the community.

    I completely agree, and this is a fantastic segue right into timeline analysis with categories...I'd call it "timeline++", but it really needs to be the "normal" way everyone does timelines.

    It's funny that you bring this up...I just got back from having lunch with Jim R of Sony, and remember thinking that I've gotta add "...and did it execute" to the malware detection course that I'm developing (the thought was based in part on our conversation).

Post a Comment