There are two types of rootkit: User Mode and Kernel Mode. Kernel level rootkits are the most difficult to detect and, because they are not restricted in any way, are of more interest for testing purposes; user mode rootkits are restricted to system privileges, significantly restricting their actions. Today’s antivirus and anti-rootkit programs should have little problem detecting and deleting a rootkit’s concealed files, processes, etc. functioning in user mode.
Kernel mode rootkits use the following methods of concealment:
Rootkit samples were selected for testing on the basis of the concealment methods listed above. The main principle behind the selection process was making sure all the possible methods of masking on a system were included.
This resulted in 6 malicious programs with hidden rootkits and 4 proof-of-concept rootkits being selected by the group of experts at Anti-Malware.ru for use in the testing of antivirus and anti-rootkit programs.
The following additional criteria were also taken into consideration when the selection of malware was made:
Taking all these factors into account, the following malicious programs were selected for the test:
As well as the following proof-of-concept rootkits:
As can be seen, the main emphasis was on malicious programs when compiling the collection. It was decided to add several proof-of-concept rootkits to complete the overall picture of masking methods and to check for proactive detection (the detection of rootkits based on an analysis of system events/anomalies, i.e., without signatures).
Each of the selected malicious programs was checked for correct installation and operability on the test system.
The most popular antivirus programs with rootkit detection functionality were selected to participate in the test. Only specialized anti-rootkit programs capable of automatically detecting hidden files were included in the test.
The list of malware selected for the test remained a secret until the results were announced and were not communicated to any of the vendors whose antivirus and anti-rootkit products took part.
Recent comments
49 weeks 1 day ago
2 years 1 week ago
2 years 2 weeks ago
2 years 5 weeks ago
2 years 15 weeks ago
2 years 19 weeks ago
2 years 19 weeks ago
2 years 19 weeks ago
2 years 34 weeks ago
2 years 45 weeks ago