USENIX Conference Policies
Fast User-Mode Rootkit Scanner for the Enterprise
User-mode resource hiding through API interception and filtering is a well-known technique used by malware programs to achieve stealth. Although it is not as powerful as kernel-mode techniques, it is more portable and reliable and, as a result, widely used. In this paper, we describe the design and implementation of a fast scanner that uses a cross-view diff approach to detect all user-mode hiding Trojans and rootkits. We also present detection results from a large-scale enterprise deployment to demonstrate the effectiveness of the tool.
BibTeX
@inproceedings {269168,
author = {Yi-Min Wang and Doug Beck},
title = {Fast {User-Mode} Rootkit Scanner for the Enterprise},
booktitle = {19th Large Installation System Administration Conference (LISA 05)},
year = {2005},
address = {San Diego, CA},
url = {https://www.usenix.org/conference/lisa-05/fast-user-mode-rootkit-scanner-enterprise},
publisher = {USENIX Association},
month = dec
}
author = {Yi-Min Wang and Doug Beck},
title = {Fast {User-Mode} Rootkit Scanner for the Enterprise},
booktitle = {19th Large Installation System Administration Conference (LISA 05)},
year = {2005},
address = {San Diego, CA},
url = {https://www.usenix.org/conference/lisa-05/fast-user-mode-rootkit-scanner-enterprise},
publisher = {USENIX Association},
month = dec
}