Journal of Information Processing Vol.25 866–874 (Sep. 2017)
[DOI: 10.2197/ipsjjip.25.866] Regular Paper
The Evolution of Process Hiding Techniques in Malware – Current Threats and Possible Countermeasures
Sebastian Eresheim1,a) Robert Luh1,b) Sebastian Schrittwieser1,c)
Received: November 26, 2016, Accepted: June 6, 2017
Abstract: Rootkits constitute a significant threat to modern computing and information systems. Since their first appearance in the early 1990’s they have steadily evolved, adapting to ever-improving security measures. The main feature rootkits have in common is the ability to hide their malicious presence and activities from the operating system and its legitimate users. In this paper we systematically analyze process hiding techniques routinely used by rootkit malware. We summarize the characteristics of different approaches and discuss their advantages and limitations. Fur- thermore, we assess detection and prevention techniques introduced in operating systems in response to the threat of hidden malware. The results of our assessments show that defenders still struggle to keep up with rootkit authors. At the same time we see a shift towards powerful VM-based techniques that will continue to evolve over the coming years.
Keywords: rootkit, process hiding, malware
many techniques have appeared with the goal of leaving as little 1. Introduction evidence as possible on the running machine [1], [37], [48]. This The origins of hiding processes goes back to the early days paper surveys past and present process hiding techniques and an- of computer science. Outside academics, stealth viruses for MS- alyzes their capabilities against modern rootkit countermeasures. DOS appeared in the early 1990’s and already showed similar 2. Process Hiding Techniques behavior like modern rootkits [55]. The term rootkit has its origin in the UNIX world, where “root” is the most privileged user on a The execution flow of a Windows API call includes multiple system and a root-kit provides an adversary with root privileges. functions from several DLLs (Dynamic Link Library) in both When rootkits evolved from UNIX to the Windows world, the user- and kernel-mode. Specifically, the API call that gathers a name still remained the same although they did not fulfill their list of running processes includes several sub-calls, which lead original purpose anymore. Today’s rootkits typically use their down into the depths of the OS, until the process manager is stealth abilities in order to hide various artifacts such as processes, called. The process manager, who stores all processes and their files, registry keys, drivers, etc. Process hiding is very often the associated information, retrieves a list of the running processes primary hiding ability of rootkits today, therefore this paper uses and returns it to the function caller. The list might then be pro- the term rootkit as a synonym for a piece of software that is capa- cessed by all the intermediate steps in between and then handed ble of hiding processes, although not all rootkits actually have this all the way up again to the caller of the Windows API. ability. For example, one of the very first rootkits for Windows Several of the process hiding techniques discussed in this pa- NT [21], developed by Greg Hoglund, was only about privilege per intercept this API call to retrieve all running processes. This escalation and evading the Kernel security. Hoglund had a big technique is also known as a hook [44]. They all share the same impact on the evolution of the rootkit industry. Not only is the characteristics and the same goal: filtering the data the API call book he co-authored with Jamie Butler [22] a de-facto standard returns. The required steps for this concept look like the follow- for rootkit research, he also operated rootkit.com, a popular web- ing: site within the rootkit community for years. ( 1 ) Take over the execution, either the API call itself or a sub- During the early 2000’s rootkits as well as anti-rootkit and call beneath anti-virus software were entirely focusing on the kernel and the ( 2 ) Jump to a memory region in which a custom program has control of its internal structures. In 2006 Rutkowska et al. [51] been loaded (the steps 4, 5, and 6 are executed by this pro- opened a new chapter in rootkit research with her works on gram) virtualization-based malware. During the evolution of rootkits ( 3 ) Call the original function that was supposed to be called ( 4 ) When the original API call returns it should give the actual 1 Josef Ressel Center for Unified Threat Intelligence on Targeted Attacks, St. Poelten University of Applied Sciences, Austria true list of all running processes a) [email protected] ( 5 ) Modify the list in a way that all processes, which should be b) [email protected] c) [email protected] hidden, are removed from the list