A survey on rootkit detection and prevention techniques.

Abstract

Rootkits are a special class of software whose goal is to gain and maintain a high level of privilege inside of a computer system. A rootkit uses its elevated position to hide itself from the prying eyes of most malware detection technologies. Rootkits are able to hide so effectively because they can subvert normal operating system functions. If a user on a system infected with a rootkit attempts to view a list of running processes, then the rootkit would take control and list all running processes except the rootkit. Since this occurs on a low level, traditional malware detection suites cannot detect the subversion.

Rootkits are very useful to attackers, because they can be bundled with whatever malcode payload they prefer. Rootkits have been used in adware, spyware, ransomware, and many other forms of malicious programs. Because of the great danger that rootkits pose to computer security, new methods must be devised to effectively root them out. This paper explores the mechanisms that have been used to combat the various rootkit technologies.