Selecting rootkits to test the quality of antivirus/anti-rootkit software detection and removal II

There are two types of rootkit: User Mode and Kernel Mode. Kernel level rootkits are the most difficult to detect and, because they are not restricted in any way, are of more interest for testing purposes; user mode rootkits are restricted to system privileges, significantly restricting their actions. Today’s antivirus and anti-rootkit programs should have little problem detecting and deleting a rootkit’s concealed files, processes, etc. functioning in user mode.

Kernel mode rootkits use the following methods of concealment:

  • Masking a system function hook by substituting the function address in the table of system services. These hooks are the most widely used in various malicious programs with rootkit masking and are, therefore, easy to detect and neutralize.
  • Masking of modifications to a machine’s kernel code, so-called splicing. These types of hooks are difficult to detect and neutralize. The number of malicious programs using this type of hook is growing steadily.
  • Masking a hook as Int 2Eh and sysenter interrupts.
  • Using a filter driver. Rootkits of this type install their own driver which connects to the file system driver like a filter driver, allowing the hooking of IRP calls.
  • DKOM or manipulation with various kernel structures.

Rootkit samples were selected for testing on the basis of the concealment methods listed above. The main principle behind the selection process was making sure all the possible methods of masking on a system were included.

This resulted in 6 malicious programs with hidden rootkits and 4 proof-of-concept rootkits being selected by the group of experts at Anti-Malware.ru for use in the testing of antivirus and anti-rootkit programs.

The following additional criteria were also taken into consideration when the selection of malware was made:

  1. The samples had to avoid detection using one or more of the methods outlined above.
  2. Each sample had to make use of a different method of concealment.
  3. Overall, the samples had to reflect existing concealment technologies as closely as possible.
  4. The malware was gathered while it was circulating on the Internet (in-the-wild samples).
  5. The rootkits used must not have deliberate counter-attack functionality against antivirus/anti-rootkit programs, such as deletion of files, shutting down of processes, etc.

Taking all these factors into account, the following malicious programs were selected for the test:

  1. Trojan-Spy.Win32.Goldun.hn
  2. Trojan-Proxy.Win32.Wopla.ag
  3. SpamTool.Win32.Mailbot.bd
  4. Monitor.Win32.EliteKeylogger.21
  5. Rootkit.Win32.Agent.ea
  6. Rootkit.Win32.Podnuha.a

As well as the following proof-of-concept rootkits:

  1. Unreal A (v1.0.1.0)
  2. RkDemo v1.2
  3. FuTo
  4. HideToolz

As can be seen, the main emphasis was on malicious programs when compiling the collection. It was decided to add several proof-of-concept rootkits to complete the overall picture of masking methods and to check for proactive detection (the detection of rootkits based on an analysis of system events/anomalies, i.e., without signatures).

Each of the selected malicious programs was checked for correct installation and operability on the test system.
The most popular antivirus programs with rootkit detection functionality were selected to participate in the test. Only specialized anti-rootkit programs capable of automatically detecting hidden files were included in the test.

The list of malware selected for the test remained a secret until the results were announced and were not communicated to any of the vendors whose antivirus and anti-rootkit products took part.