This document describes a technique for automatically discovering rootkits by comparing kernel memory snapshots before and after running potentially malicious drivers or executables. The technique was implemented in a system that runs samples in a virtual machine, extracts kernel memory contents, analyzes differences to identify suspicious modifications, and generates signatures of common rootkit behaviors. The system was tested on high-profile rootkits, driver samples, and random executables. It was able to identify kernel modifications in over 80% of malicious samples and detect behaviors of known rootkits without relying on file contents or known signatures. The authors conclude the technique is effective but note areas for future work, such as analyzing additional kernel structures and detecting more advanced techniques like DKOM or usermode rootkits
2. Agenda
2
• Objective and method
• System design and implementation
• Running drivers
• Data extraction
• Processing the data
• Reporting and signatures
• And the result is …
• Experiment A: High profile rootkits
• Experiment B: Driver files
• Experiment C: Random set of PE files
• Conclusion
• Future work
3. What is the objective?
• Automate the process of finding samples that
exhibit kernelmode behaviour
• List the modifications made to the kernel
• Identify the maliciousness of specific
modifications
• Import that data into other systems
3
4. How do we automate the process?
•Use existing tools
•Build our own
•Using anti-rootkit tools
•Using a custom diff based solution
4
6. Running Driver files
6
Guest VM
Is Driver
file ?
Driver Analysis
Package
Other Analysis
package
(Servicename | StartType | ServiceType | LoadMode)
“Register service using scm
If not loadmode then:
start service using NTLoadDriver
Else:
start service using loadmode option
If not service is running:
report FAIL ! “
7. Usage of the SophosAV Engine
With the SAV engine we get:
• Existing software that has a presence in the kernel
• The ability to examine/dump areas of kernel memory
• The ability to write to a log file
NOTE: Due to modular design we don’t need to use the
Sophos AV engine.
7
20. Tests
• High profile rootkits
• TDL Derivatives
• GAPZ
• Turla
• Necurs
• Experiment B: Malicious and clean driver set
• Experiment C: Random set of known malicious PE files
20
26. High profile rootkits
• We do not always get enough information to
classify specific families
• We are getting enough information to warrant
further investigation by an researcher
26
27. Experiment B
27
82%
18%
Malicious Drivers
With Kernel
Data
Without
Kernel
Data
51%
49%
Clean Drivers
With Kernel
Data
Without
Kernel
Data
• Total number of malicious drivers 1854.
• Total number of clean drivers 1053.
• Insufficient time for the log to be generated was a common
reason for failure to get back kernel data. Miss the log by a
second or two. It’s a trade off.
28. And the results is
28
0
10
20
30
40
50
60
70
80
90
100
Malicious
Clean
30. Experiment C
30
96%
4%
Set of PE files
With Kernel
memory
Without Kernel
Data
• 319 of known malicious PE files.
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Kernel memory signature hits for PE files
Kernel memory signature hits for PE
files
31. Weighting the signatures
31
Suspicious
Modified driver
Modified module
Info
New driver objects
New module
Malicious
SSDT Hook
IDT Hook
New Callback
Attached Device
Modified MBR
Modified VBR
Modified EOD size
32. Conclusion
• Malicious activity can be identified via modifications
rather than creation
• Malicious drivers are unlikely to employ anti-sandboxing
techniques
• Good enough to identify kernel activity
• Not exhaustive analysis
32
33. Future work
• Exploring other areas of the kernel
• Object table
• DKOM
• 64bit drivers
• Sample clustering
• Usermode rootkits
33