Abstract
Process hiding is a commonly used stealth technique which facilitates the evasion from the detection by anti-malware programs. In this paper, we propose a new approach called Aries to implicitly detect the hidden processes. Aries introduces a novel feather-weight hardware-assisted virtual machine monitor (VMM) to obtain the True Process List (TPL). Compared to existing VMM-based approaches, Aries offers three distinct advantages: dynamic OS migration, implicit introspection of TPL and non-bypassable interfaces for exposing TPL. Unlike typical VMMs, Aries can dynamically migrate a booted OS on it. By tracking the low-level interactions between the OS and the memory management structures, Aries is decoupled with the explicit OS implementation information which is subvertable for the privileged malware. Our functionality evaluation shows Aries can detect more process-hiding malware than existing detectors while the performance evaluation shows desktop-oriented workloads achieve 95.2% of native speed on average.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Zombie PCs: Silent, Growing Threat. PC World (July 2004), http://www.pcworld.com/news/article/0,aid,116841,00.asp
Microsoft: Windows Malicious Software Removal Tool, http://www.microsoft.com/security/malwareremove/
Naraine, R.: Microsoft: Stealth Rootkits Are Bombarding XP SP2 Boxes (December 2005), http://www.eweek.com/article2/0,1895,1896605,00.asp
Wang, Y.-M., Beck, D., Vo, B., Roussev, R., Verbowski, C.: Detecting Stealth Software with Strider GhostBuster. In: Proceedings of 35th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2005), pp. 368–377 (2005)
Silberman, P., C.H.A.O.S. : FUTo: Bypassing Blacklight and IceSword (2007), https://www.rootkit.com/newsread.php?newsid=433
Effective file hiding : Bypassing Raw File System I/O Rootkit Detector, http://www.rootkit.com/newsread.php?newsid=690
Bypassing Klister 0.4 with No Hooks or Running a Controlled Thread Scheduler, http://hi-tech.nsys.by/33/
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast Portscan Detection Using Sequential Hypothesis Testing. In: IEEE Symposium on Security and Privacy (2004)
Goldberg, R.P.: Architectural Principles for Virtual Computer Systems, Ph.D. Thesis. Harvard University, Cambridge, MA (1972)
Uhlig, R., Neiger, G., Rodgers, D., Santoni, A.L., Martins, F.C.M., Anderson, A.V., Bennett, S.M., Kägi, A., Leung, F.H., Smith, L.: Intel Virtualization Technology. IEEE Computer 38, 48–56 (2005)
AMD: AMD64 Vrtualization Codenamed pacifica Technology: Secure Virtual Machine Architecture Reference Manual (May 2005)
Barham, P., Dragovic, B., Fraser, K., Hand, S., Harris, T., Ho, A., Neugebauery, R., Pratt, I., Warfield, A.: Xen and the Art of Virtualization. In: Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP 2003), pp. 164–177 (2003)
Garfinkel, T., Rosenblum, M.: A Virtual Machine Introspection Based Architecture for Intrusion Detection. In: Proceedings of Network and Distributed System Security Symposium (NDSS 2003) (2003)
Wen, Y., Zhao, J., Wang, H.: Implicit Detection of Hidden Processes with a Local-Booted Virtual Machine. In: Proceedings of 2th International Conference on Information Security and Assurance (ISA 2008), pp. 150–155 (2008)
Aphex: AFX Windows Rootkit (2003), http://www.iamaphex.cjb.net
Hacker Defender, http://hxdef.org/
fuzen_op: FU Rootkit, http://www.rootkit.com/project.php?id=12
PE386: phide_ex -untimate process hiding example, http://forum.sysinternals.com/printer_friendly_posts.asp?TID=8527
Anti Rootkit Group, http://www.antirootkit.com/blog/
F-Secure Blacklight, http://www.f-secure.com/blacklight/
Icesword, http://pjf.blogcn.com/index.shtml
RootKit Unhooker, http://www.antirootkit.com/software/RootKit-Unhooker.htm
UnHackMe, http://www.greatis.com/unhackme/
Kernel Hidden Process/Module Checker, http://www.security.org.sg/code/kproccheck.html
Process Hunter, http://ms-rem.dot-link.net/
TaskInfo, http://www.iarsn.com/taskinfo.html
Adams, K., Agesen, O.: A Comparison of Software and Hardware Techniques for x86 Virtualization. In: Proceedings of The 12th International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS 2006), pp. 2–13 (2006)
Petroni, N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor. In: Proceedings of the 13th USENIX Security Symposium, pp. 179–194 (2004)
Joshi, A., King, S.T., Dunlap, G.W., Chen, P.M.: Detecting Past and Present Intrusions through Vulnerability-Specific Predicates. In: Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP 2005), Brighton, United Kingdom, pp. 91–104 (2005)
Wen, Y., Wang, H.: A Secure Virtual Execution Environment for Untrusted Code. In: Nam, K.-H., Rhee, G. (eds.) ICISC 2007. LNCS, vol. 4817, pp. 156–167. Springer, Heidelberg (2007)
Dunlap, G.W., King, S.T., Cinar, S., Basrai, M.A., Chen, P.M.: ReVirt: Enabling Intrusion Analysis through Virtual-Machine Logging and Replay. In: Proceedings of the 5th Symposium on Operating Systems Design and Implementation (OSDI 2002), pp. 211–224 (2002)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wen, Y., Zhao, J., Wang, H., Cao, J. (2008). Implicit Detection of Hidden Processes with a Feather-Weight Hardware-Assisted Virtual Machine Monitor. In: Mu, Y., Susilo, W., Seberry, J. (eds) Information Security and Privacy. ACISP 2008. Lecture Notes in Computer Science, vol 5107. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70500-0_27
Download citation
DOI: https://doi.org/10.1007/978-3-540-70500-0_27
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-69971-2
Online ISBN: 978-3-540-70500-0
eBook Packages: Computer ScienceComputer Science (R0)