Kaspersky Lab has obtained a patent for a method of detecting malware that has been masked by rootkits – special programmes capable of altering the outcomes of system functions. Patent no. 8677492 issued by the US Patent and Trademark Office describes the operation of a security solution with a special module that duplicates some functions of the operating system’s kernel, so the security solution has reliable information even if the OS is infected with a rootkit.
Cybercriminals use rootkits to prevent security solutions detecting malicious programmes such as Trojans. To do this a rootkit masquerades as a legal driver, integrates with the OS kernel, intercepts system function calls from applications and modifies the results of their operation, deleting any references to files and processes related to the Trojan. This means the presence of malicious code can be masked – a dangerous programme becomes invisible to the user and to other applications.
The patent obtained by Kaspersky Lab describes an auxiliary module that duplicates the critical functions of the OS kernel, such as handling files, process control, reading registry records etc.
The main application of the module is to detect objects masked by a rootkit. The security solution does so by requesting a list of files or running processes through the main kernel, and simultaneously sends an identical request through the auxiliary module. A comparison of the returned data helps identify objects that are absent from the list returned by the OS kernel.
If the two lists are not identical, this indicates that a rootkit is active in the system, and the security solution can perform actions to neutralise suspicious objects.
The algorithm for using the auxiliary kernel can be configured as required. For example, on a home computer a scan can be launched when other security subsystems flag an object’s suspicious behaviour – this will save resources. In a corporate environment requiring a higher level of security, the control can be used on a continuous basis.
“Masking malware programmes with the help of rootkits makes it much more difficult for anti-malware solutions to detect threats. This newly patented technology provides a reliable method to identify objects that are disguised in the system, helping counteract the most dangerous attacks,” commented Vyacheslav Rusakov, Malware Expert at Kaspersky Lab and author of the patent.
This method of detecting malicious code that conceals its presence in the system has been implemented in Kaspersky Lab’s home and corporate products, including Kaspersky Internet Security, Kaspersky PURE and Kaspersky Endpoint Security for Business.
Kaspersky Lab holds an extensive patent portfolio. As of mid-March 2014, Kaspersky Lab holds 197 patents issued in the USA, Russia, the European Union and China. A further 248 patent applications are being reviewed by the appropriate authorities.