Kaspersky Lab has obtained a patent for a method of detecting malware that has been masked by rootkits – special programs capable of altering the outcomes of system functions. Patent no. 8677492, issued by the US Patent and Trademark Office, describes the operation of a security solution with a special module that duplicates some functions of the operating system’s kernel, so the security solution has reliable information even if the OS is infected with a rootkit.
Cybercriminals use rootkits to prevent security solutions detecting malicious programs such as Trojans. To do this, a rootkit masquerades as a legal driver, integrates with the OS kernel, intercepts system function calls from applications and modifies the results of their operation, deleting any references to files and processes related to the Trojan. This means the presence of malicious code can be masked and the dangerous program becomes invisible to the user and to other applications.
The patent obtained by Kaspersky Lab describes an auxiliary module that duplicates the critical functions of the OS kernel, such as handling files, process control, reading registry records etc.
The main application of the module is to detect objects masked by a rootkit. The security solution does so by requesting a list of files or running processes through the main kernel, and simultaneously sends an identical request through the auxiliary module. A comparison of the returned data helps identify objects that are absent from the list returned by the OS kernel.
If the two lists are not identical, this indicates that a rootkit is active in the system, and the security solution can perform actions to neutralise suspicious objects.
The algorithm for using the auxiliary kernel can be configured as required. For example, on a home computer a scan can be launched when other security subsystems flag an object’s suspicious behaviour – this will save resources. In a corporate environment requiring a higher level of security, the control can be used on a continuous basis.
“Masking malware programs with the help of rootkits makes it much more difficult for anti-malware solutions to detect threats. This newly patented technology provides a reliable method to identify objects that are disguised in the system, helping counteract the most dangerous attacks,” commented Vyacheslav Rusakov, Malware Expert at Kaspersky Lab and author of the patent.
This method of detecting malicious code that conceals its presence in the system has been implemented in Kaspersky Lab’s home and corporate products, including Kaspersky Internet Security, Kaspersky PURE and Kaspersky Endpoint Security for Business.
Kaspersky Lab holds an extensive patent portfolio. As of mid-March 2014, Kaspersky Lab holds 197 patents issued in the USA, Russia, the European Union and China. A further 248 patent applications are being reviewed by the appropriate authorities.
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.co.uk.
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2012. The rating was published in the IDC report "Worldwide Endpoint Security 2013–2017 Forecast and 2012 Vendor Shares (IDC #242618, August 2013). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2012.