Multiplex Indelible Rootkit Checker and Identifier

Abstract

Kernel rootkits are very special form of malware that can be deployed directly into running kernel. After deployment they can act as a benign functionality of operating system. A kernel rootkit thus is very difficult to detect because after the system is compromised there is almost no way to differentiate whether it’s a malware or added new functionality of that particular operating system. Linux, a monolithic kernel uses lkm (loadable kernel module) to add a new feature, being modular in structure Linux can easily load module when needed by kernel thread known as kmod. This research is based on detection of LASSI rootkit which like other rootkit conceal the presence of a malware in a system. LASSI works on latest Linux kernel i.e. Linux 3.80 and throws light on security issue that needs attention. The story doesn’t end on personal computers or servers, the Linux rootkit can be cross compiled and used on different platform running Linux kernel, so it is like compiled once and used everywhere it fits. So it’s time now to study the adverse effect of such rootkits and develop robust security solutions that can stand and protect a common user. LASSI rootkit impacts all the versions of Linux operating systems present till this date. This rootkit can affect all the systems with Linux kernels like android devices, embedded systems and all Linux distributions. The most striking feature of this rootkit is its un-detectability by all the modern day security arrangements. This is a very grave problem and there is a dire need to find the solution. This research has developed an approach named MIRCHI to detect all kernel level rootkits (including LASSI) and implement it in form of detection engine. MIRCHI rootkit detection approach can detect kernel rootkit in all the infected systems with Linux kernels irrespective of their user application interfaces like android devices, embedded systems along with all Linux distributions. The most striking feature of MIRCHI is that it works in real time which is unlikely in other approaches. MIRCHI successfully detects all the rootkits including LASSI which is undetectable by all other currently available tools and techniques.