Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan

Next: Introduction Up: FUTo Previous: Contents   Contents



Since the introduction of FU[2], the rootkit world has moved away from implementing system hooks to hide their presence. Because of this change in offense, a new defense had to be developed. The new algorithms used by rootkit detectors, such as BlackLight[1], attempt to find what the rootkit is hiding instead of simply detecting the presence of the rootkit’s hooks. This paper will discuss an algorithm that is used by both Blacklight and IceSword[3] to detect hidden processes. This paper will also document current weaknesses in the rootkit detection field and introduce a more complete stealth technique implemented as a prototype in FUTo.


Peter would like to thank bugcheck, skape, thief, pedram, F-Secure for doing great research, and all the nologin/research'ers who encourage mind growth.

C.H.A.O.S. would like to thank Amy, Santa (this work was three hours on Christmas day), lonerancher, Pedram, valerino, and HBG Unit.