Eileen Brown's WebLog : Detecting Stealth Software

Tags

About me

Beta Products

BlogCasts

Blogs

Chats

Collaboration

Desktop Productivity Applications

Discussions

Events

Exchange

General musings

How to Articles

Information

Instant Messaging

Interviews

Knowledge Management

Live Communications Server

Messaging & Collaboration

Messaging & Collaboration

Messaging &amp

Mobile Devices

MSN Messenger

News

Newsgroups

Newsletters

Publications

Security

Systems Management Software

Training

User Groups

Web 2.0

Webcasts

Websites

White Papers

Whitepapers

Workshops

Recent Posts

TV directly to your phone

Blogging safely

Mobility Webcasts for May

Office Webcasts for May

Unified Communications Webcasts for May

Archives

April 2007 (20)

March 2007 (29)

February 2007 (25)

January 2007 (35)

December 2006 (27)

November 2006 (31)

October 2006 (27)

September 2006 (25)

August 2006 (30)

July 2006 (27)

June 2006 (26)

May 2006 (34)

April 2006 (24)

March 2006 (27)

February 2006 (25)

January 2006 (25)

December 2005 (28)

November 2005 (33)

October 2005 (36)

September 2005 (34)

August 2005 (40)

July 2005 (36)

June 2005 (41)

May 2005 (41)

April 2005 (44)

March 2005 (44)

February 2005 (47)

January 2005 (41)

December 2004 (61)

November 2004 (41)

October 2004 (3)

Detecting Stealth Software

My blog content mole pointed me to this report which has just been released .

Detecting Stealth Software with Strider GhostBuster
Yi-Min Wang; Doug Beck; Binh Vo; Roussi Roussev; Chad Verbowski
February 2005

Stealth malware programs that silently infect enterprise and consumer machines are becoming a major threat to the future of the Internet. Resource hiding is a powerful stealth technique commonly used by malware to evade detection by computer users and anti-malware scanners. In this paper, we focus on a subclass of malware, termed “ghostware”, which hide files, configuration settings, processes, and loaded modules from the operating system’s query and enumeration Application Programming Interfaces (APIs). Instead of targeting individual stealth implementations, we describe a systematic framework for detecting multiple types of hidden resources by leveraging the hiding behavior as a detection mechanism. Specifically, we adopt a cross-view diff-based approach to ghostware detection by comparing a high-level infected scan with a low-level clean scan and alternatively comparing an inside-the-box infected scan with an outside-the-box clean scan. We describe the design and implementation of the Strider GhostBuster tool and demonstrate its efficiency and effectiveness in detecting resources hidden by real-world malware such as rootkits, Trojans, and key-loggers.

There are some evocative ghostware names arent there? Urbin, Mersting, Vanquish, Hacker (original eh?) Aphex, Defender and ProbotSE, Darkside and Synapsis (for UNIX and Linux) but it's nice that AskStrider can sort out these guys hiding inside your machine. Mind you, I've always known that there were scary things hiding in here, moving my files when I wanted them and making the PC misbehave. I always thought that they were just gremlins - but GhostBuster (who ya gonna call?) gets rid of those too.

Have a read of the document - it's interesting although a little bit intimidating, and it makes you realize how scarily clever these guys at Microsoft research are...

Published Thursday, May 05, 2005 12:39 PM by Eileen_Brown
Filed under: Discussions, Information, Websites, Whitepapers

Comments

No Comments

New Comments to this post are disabled

Eileen Brown's WebLog

This Blog

Syndication

Search

News

Blogroll

How to....

Microsoft Evangelists

UK User Groups

Tags

Recent Posts

Archives

Detecting Stealth Software

Comments