Spotting Rootkits by Looking for ‘Black Sheep’

Computers are the opposite of people, at least in one key point: If you have a few different systems that should be the same, if one or more of them start being different it’s time to investigate.

Tripwire is one of the earliest threat-spotting by change-spotting programs: it generates signatures of all the programs on your computer at the time of a clean install, and you periodically re-run it to see if anything that shouldn’t have changed has.

(There’s physical security equivalent to this too — see all the talk about photographing or making holograms of seals)

These researchers have taken that idea a bit further. Instead of using a step back in time as a reference point, they use something more akin to a moving average over a variety of systems. On the theory that malware won’t appear on all the machines at once,* they’ve come up with a system to keep watch on kernel memory images that ought to be similar and alert if they change.

* ignoring the worms throughout history

There’s no reason to limit this to people running massive networks, though — it would be neat for someone to adapt this to e.g Linux LiveCDs. Since LiveCD configuration is known in advance, such a system would let anyone at all set up a small group of computers with a solid intrusion-detection capability.

“”The usefulness comes from the fact that it is not based on signatures and it’s not based on the behavior of a piece of software,” he says. “It’s just based on the fact that, hey, all these machines should have a very similar configuration in the kernel, so if somebody is an outlier–it might not be a compromise, maybe it is a malfunction of some sort–but it’s something that should be looked at.”

Blacksheep compares memory dumps from each monitored system, first creating lists of kernel memory modules that are then sorted and compared, calculating the distance that each list of modules is from the others. The system then compares each byte of a modules’ code with other systems to find differences that could indicate changes inserted by a rootkit. Blacksheep also conduct memory crawling to catch changes to kernel data and checks five different kernel entry points for signs of changes.”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: