Abstract
Several methods exist for detecting Linux kernel module (LKM) rootkits, most of which rely on a priori system-specific knowledge. We propose an alternative detection technique that only requires knowledge of the distribution of system call addresses in an uninfected system. Our technique relies on outlier analysis, a statistical technique that compares the distribution of system call addresses in a suspect system to that in a known uninfected system. Experimental results indicate that it is possible to detect LKM rootkits with a high degree of confidence.
Chapter PDF
Similar content being viewed by others
References
M. Burdach, Detecting rootkits and kernel-level compromises in Linux (http://www.securityfocus.com/infocus/1811), 2004.
A. Busleiman, Detecting and understanding rootkits (http://www.netsecurity.org/dl/articles/Detectmg_and_Understanding_rootkits.txt) 2003.
B. Carrier and E. Spafford, Automated digital evidence target definition using outlier analysis and existing evidence, Proceedings of the Fifth Annual Digital Forensics Research Workshop (http://www.dfrws.org/2005/proceedings/index.html), 2005.
S. Cesare, Runtime kernel patching (http://reactor-core.org/runtime-kernel-patching.html).
A. Chuvakin, An overview of Unix rootkits, iALERT White Paper, iDefense Labs (http://www.megasecurity.org/papers/Rootkits.pdf), 2003.
D. Dittrich, Root kits and hiding files/directories/processes after a break-in (http://staff.washington.edu/dittrich/misc/faqs/rootkits.faq), 2002.
Honeynet Project, Know your enemy: The motives and psychology of the black hat community (http://www.linuxvoodoo.org/resources/security/motives), 2000.
P. Hutto, Adding a syscall (http://www-static.cc.gatech.edu/classes/AY2001/cs3210_fall/labs/syscalls.html), 2000.
Integrity Computing, Network security: A primer on vulnerability, prevention, detection and recovery (http://www.integritycomputing.com/security1.html).
Komoku Inc. (http://www.komoku.com/technology.shtml).
C. Kruegel, W. Robertson and G. Vigna, Detecting kernel-level rootkits through binary analysis (http://www.cs.ucsb.edu/~wkr/publications/acsac20041krmpresentation.pdf), 2004.
J. Levine, B. Grizzard and H. Owen, Detecting and categorizing kernel-level rootkits to aid future detection, IEEE Security & Privacy, pp. 24–32, January/February 2006.
M. Murilo and K. Steding-Jessen, chkrootkit (http://www.chkrootkit.org), 2006.
R. Naraine, Government-funded startup blasts rootkits (http://www.eweek.com/article2/0,1759,1951941,00.asp), April 24, 2006.
N. Petroni, T. Fraser, J. Molina and W. Arbaugh, Copilot —A co-processor-based kernel runtime integrity monitor, Proceedings of the Thirteenth USENIX Security Symposium, pp. 179–194, 2004.
J. Rutkowski, Execution path analysis: Finding kernel based rootkits (http://doc.bughunter.net/rootkit-backdoor/execution-path.html).
Samhain Labs, kern_check.c (http://la-samhna.de/library/kern_check.c).
J. Scambray, S. McClure and G. Kurtz, Hacking Exposed: Network Security Secrets and Solutions, McGraw-Hill/Osborne, Berkeley, California, 2001.
SecurityFocus, scprint.c (http://downloads.securityfocus.com).
E. Skoudis, Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses, Prentice-Hall, Upper Saddle River, New Jersey, 2001.
W. Stallings, Network Security Essentials, Prentice-Hall, Upper Saddle River, New Jersey, 2003.
R. Wichmann, Linux kernel rootkits (http://coewww.rutgers.edu/wwwl/linuxclass2006//documents/kerneLrootkits/index.html), 2002.
D. Zovi, Kernel rootkits (http://www.sans.org/reading_room/whitepapers/threats/449.php), SANS Institute, 2001.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Wampler, D., Graham, J. (2007). A Method for Detecting Linux Kernel Module Rootkits. In: Craiger, P., Shenoi, S. (eds) Advances in Digital Forensics III. DigitalForensics 2007. IFIP — The International Federation for Information Processing, vol 242. Springer, New York, NY. https://doi.org/10.1007/978-0-387-73742-3_7
Download citation
DOI: https://doi.org/10.1007/978-0-387-73742-3_7
Publisher Name: Springer, New York, NY
Print ISBN: 978-0-387-73741-6
Online ISBN: 978-0-387-73742-3
eBook Packages: Computer ScienceComputer Science (R0)