Hooks hijacked? New research shows how to block stealthy malware attacks

November 3, 2009,

The spread of malicious software, also known as malware or computer viruses, is a growing problem that can lead to crashed computer systems, stolen personal information, and billions of dollars in lost productivity every year. One of the most insidious types of malware is a "rootkit," which can effectively hide the presence of other spyware or viruses from the user - allowing third parties to steal information from your computer without your knowledge. But now researchers from North Carolina State University have devised a new way to block rootkits and prevent them from taking over your computer systems.

To give some idea of the scale of the malware problem, a recent Internet security threat report showed a 1,000 percent increase in the number of new malware signatures extracted from the in-the-wild malware programs found from 2006 to 2008. Of these malware programs, "rootkits are one of the stealthiest," says Dr. Xuxian Jiang, assistant professor of at NC State and a co-author of the research. "Hackers can use rootkits to install and hide spyware or other programs. When you start your machine, everything seems normal but, unfortunately, you've been compromised."

Rootkits typically work by hijacking a number of "hooks," or control data, in a computer's operating system. "By taking control of these hooks, the rootkit can intercept and manipulate the computer system's data at will," Jiang says, "essentially letting the user see only what it wants the user to see." As a result, the rootkit can make itself invisible to the computer user and any antivirus software. Furthermore, the rootkit can install additional , such as programs designed to steal personal information, and make them invisible as well.

In order to prevent a rootkit from insinuating itself into an operating system, Jiang and the other researchers determined that all of an operating system's hooks need to be protected. "The challenging part is that an may have tens of thousands of hooks - any of which could potentially be exploited for a rootkit's purposes," Jiang says, "Worse, those hooks might be spread throughout a system. Our research leads to a new way that can protect all the hooks in an efficient way, by moving them to a centralized place and thus making them easier to manage and harder to subvert."

Jiang explains that by placing all of the hooks in one place, researchers were able to simply leverage hardware-based memory protection, which is now commonplace, to prevent hooks from being hijacked. Essentially, they were able to put hardware in place to ensure that a rootkit cannot modify any hooks without approval from the user.

The research, "Countering Kernel Rootkits with Lightweight Hook Protection," will be presented at the 16th ACM Conference on Computer and Communications Security in Chicago, Nov. 12.

Source: North Carolina State University (news : web)

Explore further: Grisoft Offers Free Rootkit Removal

Related Stories

Grisoft Offers Free Rootkit Removal

April 11, 2007

Grisoft, makers of the popular AVG Antivirus, today released a free tool specifically aimed at eliminating malicious software that hides itself using rootkit techniques.

Free Anti-Rootkit Tools

April 24, 2007

Many free tools are available to detect rootkits. Some also attempt to remove them.

Security firms react to rootkit

November 17, 2005

Following a week of extensive public criticism, Sony BMG's problems continued as class-action lawsuits and public letters were released in response to an anti-piracy program found on a number of its music CDs.

Recommended for you

China auto show highlights industry's electric ambitions

April 22, 2018

The biggest global auto show of the year showcases China's ambitions to become a leader in electric cars and the industry's multibillion-dollar scramble to roll out models that appeal to price-conscious but demanding Chinese ...

Robot designed for faster, safer uranium plant pipe cleanup

April 21, 2018

Ohio crews cleaning up a massive former Cold War-era uranium enrichment plant in Ohio plan this summer to deploy a high-tech helper: an autonomous, radiation-measuring robot that will roll through miles of large overhead ...

How social networking sites may discriminate against women

April 20, 2018

Social media and the sharing economy have created new opportunities by leveraging online networks to build trust and remove marketplace barriers. But a growing body of research suggests that old gender and racial biases persist, ...

Virtually modelling the human brain in a computer

April 19, 2018

Neurons that remain active even after the triggering stimulus has been silenced form the basis of short-term memory. The brain uses rhythmically active neurons to combine larger groups of neurons into functional units. Until ...


Adjust slider to filter visible comments by rank

Display comments: newest first

not rated yet Nov 03, 2009
I'm assuming that the operating system at the root of this article is Windows. Linux and GNU-related systems, along with applications designed for those systems need to become more developed and adopted into the mainstream.
not rated yet Nov 03, 2009
There were rootkits before windows existed.
There are rootkits for linux.
Asking user permission 10,000 times is unmarketable and a pre approved list becomes a new target.
It gets more complicated, not really more secure.
5 / 5 (1) Nov 03, 2009
Best personal security is a tamperproof OS (read only) on a removable device, with backup copies.
No sharing computers, no leaving data on a computer, everything goes in your pocket and shy of mugging, your system is safe.
At some date all memory storage devices may be undistinguishable by the OS. At that time, even windows becomes a portable OS de-facto.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.