Journal in Computer Virology

, Volume 4, Issue 2, pp 137–157 | Cite as

Rootkit modeling and experiments under Linux

  • Éric LacombeEmail author
  • Frédéric Raynal
  • Vincent Nicomette
SSTIC 2007 Best Academic Papers


This article deals with rootkit conception. We show how these particular malicious codes are innovative comparing to usual malware like virus, Trojan horses, etc. From that comparison, we introduce a functional architecture for rootkits. We also propose some criteria to characterize a rootkit and thus, to qualify and assess the different kinds of rootkits. We purposely adopt a global view with respect to this topic, that is, we do not restrict our study to the rootkit software. Namely, we also consider the communication between the attacker and his tool, and the induced interactions with the system. Obviously, we notice that the problems faced up during rootkit conception are close to those of steganography, while however showing the limits of such a comparison. Finally, we present a rootkit paradigm that runs in kernel-mode under Linux and also some new techniques in order to improve its stealth features.


System Call Secret Message Kernel Module User Space Malicious Code 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    King, S.T., et al.: Subvirt: Implementing malware with virtual machines. In: Proceedings of the 2006 IEEE Symposium on Security and Privacy (2006)Google Scholar
  2. 2.
    Rutkowska, J.: Stealth malware taxonomy (2006)Google Scholar
  3. 3.
    truff. Infecting loadable kernel modules. Phrack 61 (2003)Google Scholar
  4. 4.
    Microsoft Corporation.: Digital signatures for kernel modules on systems running windowsăvista. Technical report, Microsoft Corporation (2006)Google Scholar
  5. 5.
    Kruegel, C., Robertson, W., Vigna, G.: Detecting kernel-level rootkits through binary analysis (2004)Google Scholar
  6. 6.
    sd and devik. Linux on-the-fly kernel patching without l km. Phrack 58 (2001)Google Scholar
  7. 7.
    c0de. Reverse symbol lookup in linux kernel. Phrack 61 (2003)Google Scholar
  8. 8.
    Dornseif, M., et al.: Firewire—all your memory are belong to us. In: CanSecWest/core05 (2005)Google Scholar
  9. 9.
    Boileau, A.: Hit by a bus: physical access attacks with firewire. In: Ruxcon 2006 (2006)Google Scholar
  10. 10.
    Rutkowska, J.: Beyond the cpu: defeating hardware based ram acquisition tools (part i: Amd case). In: Black Hat DC 2007 (2007)Google Scholar
  11. 11.
    Cesare, S.: Syscall redirection without modifying the syscall table (1999)Google Scholar
  12. 12.
    kad. Handling interrupt descriptor table for fun and profit. Phrack 59 (2002)Google Scholar
  13. 13.
    buffer. Hijacking linux page fault handler. Phrack 61 (2003)Google Scholar
  14. 14.
    stealth. Kernel rootkit experience. Phrack 61 (2003)Google Scholar
  15. 15.
    Cesare, S.: Kernel function hijacking (1999)Google Scholar
  16. 16.
    Rutkowski, J.K.: Execution path analysis: finding kernel based rootkits. Phrack 59 (2002)Google Scholar
  17. 17.
    Lawless, T.: On intrusion resiliency (2002)Google Scholar
  18. 18.
    Sparks, S., Butler, J.: Raising the bar for windows rootkit detection. Phrack 63 (2005)Google Scholar
  19. 19.
    Soeder, D., Permeh, R.: Eeye bootroot: a basis for bootstrap-based windows kernel code (2005)Google Scholar
  20. 20.
    Kumar, N., Kumar, V.: Boot kit (2006)Google Scholar
  21. 21.
    Rutkowska, J.: Subverting vista kernel for fun and profit. In: Black Hat in Las Vegas 2006 (2006)Google Scholar
  22. 22.
    Filiol É. (2005). Computer Viruses: from Theory to Applications. IRIS International Series. Springer, France Google Scholar
  23. 23.
    Maximiliano Caceres. Syscall proxying—simulating remote execution (2002)Google Scholar
  24. 24.
    grugq. Remote exec. Phrack 62 (2004)Google Scholar
  25. 25.
    Pluf and Ripe. Advanced antiforensics: self. Phrack, 63 (2005)Google Scholar
  26. 26.
    Dralet, S., Gaspard, F.: Corruption de la Mémoire lors de l’Exploitation. In: Symposium sur la Sécurité des Technologies de l’Information et des Communications 2006, pp. 362–399. École Supérieure et d’Application des Transmissions (2006)Google Scholar
  27. 27.
    Raynal, F., Berthier, Y., Biondi, P., Kaminsky, D.: Honeypot forensics: analyzing system and files. IEEE Secur. Priv. J., aovt (2004)Google Scholar
  28. 28.
    Filiol É. (2007). Techniques virales avancTes. Collection IRIS. Springer, France Google Scholar
  29. 29.
    Filiol, E.: Strong cryptography armoured computer viruses forbidding code analysis: the bradley virus. In: 14th EICAR Conference, StJuliens/Valletta - Malta (2005)Google Scholar
  30. 30.
    Riordan J. and Schneier B. (1998). Environmental key generation towards clueless agents. Lect. Notes Comput. Sci. 1419: 15–24 CrossRefGoogle Scholar
  31. 31.
    Girling, C.G.: Covert channels in lan’s. IEEE Trans. Softw. Eng. février (1987)Google Scholar
  32. 32.
    Wolf, M.: Covert channels in lan protocols. In: LANSEC ’89: Proceedings on the Workshop for European Institute for System Security on Local Area Network Security, pp. 91–101, London, UK, 1989. Springer, HeidelbergGoogle Scholar
  33. 33.
    Rowland, C.H.: Covert channels in the tcp/ip protocol suite. First Monday, mars (1996)Google Scholar
  34. 34.
    Raynal, F.: Les canaux cachTs. Techniques de l’ingTnieur, dTcembre (2003)Google Scholar
  35. 35.
    Filiol, E., Josse, S.: A statistical model for viral detection undecidability. In: Broucek, V. (ed.) J. Comput. Virol., EICAR 2007 Special Issue, 3(2) (2007)Google Scholar
  36. 36.
    The Honeynet Project Staff. Know your enemy: Sebek—a kernel based data capture tool (2003)Google Scholar
  37. 37.
    bioforge. Hacking the linux kernel network stack. Phrack 61 (2003)Google Scholar
  38. 38.
    Filiol, E.: Formal model proposal for (malware) program stealth. In: Proceedings of the 17th Virus Bulletin Conference (2007)Google Scholar
  39. 39.
    Cachin, C.: An information-theoretic model for steganography. In: Proceedings of the International Workshop on Information Hiding (1998)Google Scholar
  40. 40.
    7a69ezine Staff. Linux per-process syscall hooking (2006)Google Scholar
  41. 41.
    Intel. IA-32 Intel Architecture Software Developer’s Manual Volume 2: Instruction Set Reference (2003)Google Scholar
  42. 41.
    Pragmatic and THC.: (nearly) Complete Linux Loadable Kernel Modules. The definitive guide for hackers, virus coders and system administrators (1999).

Copyright information

© Springer-Verlag France 2007

Authors and Affiliations

  • Éric Lacombe
    • 1
    Email author
  • Frédéric Raynal
    • 2
    • 3
  • Vincent Nicomette
    • 1
  1. 1.LAAS-CNRS, University of ToulouseToulouse Cedex 4France
  2. 2.Sogeti ESECParisFrance
  3. 3.MISC Magazine, Diamond EditionsSélestat CedexFrance

Personalised recommendations