Researchers Design Rootkit Blocking Tool Based on Hypervisor
Security researchers belonging to North Carolina State University along with Microsoft Research have come up with a latest method for blocking rootkits as well as stopping them from compromising people's computers through the creation of a HookSafe prototype, a system based on hypervisor.
Hypervisor refers to virtualization software based on computer hardware/software, which supports multiple operating systems on infected host PC simultaneously.
Researchers noted that rootkits are malware that are the hardest to spot and eliminate as they frequently escape the notice of anti-malware programs, while if at all they are spotted, they are not so easy to remove fully.
Explaining the modus operandi of rootkits, security researchers said that they typically take control of several "hooks," or capture data in the OS of the target PC. And as the "hooks" are controlled, the rootkit then effectively reads and modifies the data on the system, revealing only those things to the user that the malware finds convenient.
However, the researchers examined the hooks of these operating systems which have to be safeguarded. This is, in fact, difficult since an OS might contain numerous hooks that could be used for the purpose of a rootkit.
However, assembling each of the hooks at a central position, makes the management of these hooks easier. Actually, once the hooks could be moved to one place, a memory protection based on hardware could be utilized for defending them against any sort of hack.
Indeed the security researchers said that their craftily designed HookSafe prototype could protect almost 6,000 distinct kernel hooks while it has already blocked 9 separate rootkits.
Moreover, the researchers after creating the hook based on hypervisor have implemented hook usage as rootkits could corrupt the operating system's kernel, and is, thus, not trustworthy for managing even the hooks.
Conversely, according to some cyber-security experts, the creation of this tool can be regarded as a part of the problem as efforts are being made to protect the kernel but nothing to prevent rootkits from operating is being done.
» SPAMfighter News - 17-11-2009