Skip to content

Rootkit Lessons from Early Polymorphism

I just dug up an old paper (01/08/2005) but still a good one called “Shadow Walker: Raising The Bar For Windows Rootkit Detection”. It suggests malware provide a randomly faked view of memory to a system/scanner without revealing any of its own code.

…imagine a rootkit that makes no effort to change its superficial
appearance, yet is capable of fundamentally altering a detectors view of an
arbitrary region of memory. When the detector attempts to read any region
of memory modified by the rootkit, it sees a ‘normal’, unaltered view of
memory. Only the rootkit sees the true, altered view of memory. Such a
rootkit is clearly capable of compromising all of the primary detection
methodologies to varying degrees.

The authors’ propose a better way for malware to hide than polymorphism is to lie; binary code change camouflage to evade scanners was said to be more difficult than just generating fake replies. Now it seems so commonplace as to be obvious to manipulate memory, and even incorporated into regular development, but back then it was Phrackworthy.

Posted in Security.

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Some HTML is OK

or, reply to this post via trackback.