19th Large Installation System Administration ConferenceAbstract
Pp. 2330 of the Proceedings
Fast User-Mode Rootkit Scanner for the Enterprise
Yi-Min Wang and Doug Beck, Microsoft Research, Redmond
User-mode resource hiding through API interception and filtering is a well-known technique used by malware programs to achieve stealth. Although it is not as powerful as kernel-mode techniques, it is more portable and reliable and, as a result, widely used. In this paper, we describe the design and implementation of a fast scanner that uses a cross-view diff approach to detect all user-mode hiding Trojans and rootkits. We also present detection results from a large-scale enterprise deployment to demonstrate the effectiveness of the tool.
- View the full text of this paper in HTML and PDF.
Until December 2006, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2005 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.