Taxonomy of Rootkits

Abstract

Breaking into a computer system involves hard work. Therefore once a hacker succeeds, he wants to maintain access into the system so that any future penetration will be a hassle-free job and effort saved could be better utilized to launch further attacks. A rootkit serves this purpose by allowing permanent or consistent, undetectable presence on a computer. Such stealth is made possible by locating and modifying the software in the target system so that it makes incorrect decision. Various techniques employed by the rootkits have been revealed through the forensic analysis of such software. The aim of my research is to classify the rootkits based on the techniques used by them in order to achieve their purpose of stealth along with the specific functions and data structures they target in each technique. By making such classifications and observing the manipulations done by rootkits in various important kernel or user space structures and functions, one can get insight into the working of rootkits and can develop key survival techniques to detect these rootkits and recover the clean system. We have attempted to discover the functions and structures for each category with the aid of reverse engineering, direct examanitation of publicly available Windows based rootkits’ source code and documentation available from various sources.