Blacksheep: a Tool for Kernel Rootkit Detection, based on Physical Memory Crowdsourced Analysis
thesisposted on 13.12.2012 by Antonio Bianchi
In order to distinguish essays and pre-prints from academic theses, we have a separate category. These are often much longer text based documents than a paper.
Detecting rootkit infestations is a complicated security problem faced by modern organizations. Many possible solutions to this have been proposed in the last decade, but various drawbacks prevent these approaches from being ideal solutions. In this thesis, we present blacksheep a detection tool for utilizing a crowd of similar machines to detect rootkit infestations. In particular we focus on kernel rootkits infecting the Windows operating system. We propose a novel technique to detect kernel rootkits based on the analysis of physical memory dumps acquired from a set of machines. These memory dumps are compared with each others and the results of these comparisons are used to classify them in infected and non-infected. Three different comparisons are performed: code comparison, kernel entry point comparison and data comparison. Their results are used by two different analyses: a trained classification and an untrained classification. The trained classifier relies on a set of memory dumps manually flagged as having been acquired from machines in a non-infected state. The goal of this analysis is to classify a set of memory dumps as having come from infected or non-infected machines. The untrained classifier generates a hierarchy of clusters of memory dumps based on their similarity. The aim of this analysis is to separate the analyzed memory dumps into subsets based on the state of the machines which they have been taken from. As part of our investigation into Windows kernel rootkits, much research was needed to be done in two main areas: the internals of the Windows kernel itself and the methods to acquire and analyze dumps of the physical memory and copies of the swap area. Part of our contribution is the summary of these researches. We have tested blacksheep on two sets of memory dumps acquired from differently configured machines infected with eight different rootkits. Some of the analyses performed by blacksheep achieve a 100% detection rate, with no false positives in both sets. Others are able to give interesting information about the behaviors of the analyzed rootkits.