User-space library rootkits revisited: Are user-space detection mechanisms futile?
- URL: http://arxiv.org/abs/2506.07827v1
- Date: Mon, 09 Jun 2025 14:50:48 GMT
- Title: User-space library rootkits revisited: Are user-space detection mechanisms futile?
- Authors: Enrique Soriano-Salvador, Gorka Guardiola Múzquiz, Juan González Gómez,
- Abstract summary: This work is to answer the question: Is detecting user-space rootkits with user-space tools futile?<n>Contrary to the prevailing view that considers it effective, we argue that the detection of user-space rootkits cannot be done in user-space at all.<n>This manuscript describes the classical approach to build user-space library rootkits, the traditional detection mechanisms, and different evasion techniques.
- Score: 0.0
- License: http://creativecommons.org/licenses/by-nc-nd/4.0/
- Abstract: The kind of malware designed to conceal malicious system resources (e.g. processes, network connections, files, etc.) is commonly referred to as a rootkit. This kind of malware represents a significant threat in contemporany systems. Despite the existence of kernel-space rootkits (i.e. rootkits that infect the operating system kernel), user-space rootkits (i.e. rootkits that infect the user-space operating system tools, commands and libraries) continue to pose a significant danger. However, kernel-space rootkits attract all the attention, implicitly assuming that user-space rootkits (malware that is still in existence) are easily detectable by well-known user-space tools that look for anomalies. The primary objective of this work is to answer the following question: Is detecting user-space rootkits with user-space tools futile? Contrary to the prevailing view that considers it effective, we argue that the detection of user-space rootkits cannot be done in user-space at all. Moreover, the detection results must be communicated to the user with extreme caution. To support this claim, we conducted different experiments focusing on process concealing in Linux systems. In these experiments, we evade the detection mechanisms widely accepted as the standard solution for this type of user-space malware, bypassing the most popular open source anti-rootkit tool for process hiding. This manuscript describes the classical approach to build user-space library rootkits, the traditional detection mechanisms, and different evasion techniques (it also includes understandable code snippets and examples). In addition, it offers some guidelines to implement new detection tools and improve the existing ones to the extent possible.
Related papers
- Trace of the Times: Rootkit Detection through Temporal Anomalies in Kernel Activity [2.900892566337075]
Kernel rootkits enable stealthy operation and are thus difficult to detect.<n>Existing detection approaches rely on signatures that are unable to detect novel rootkits or require domain knowledge about the rootkits to be detected.<n>Our framework injects probes into the kernel to measure time stamps of functions within relevant system calls, computes distributions of function execution times, and uses statistical tests to detect time shifts.<n>The evaluation of our open-source implementation on publicly available data sets indicates high detection accuracy with an F1 score of 98.7% across five scenarios with varying system states.
arXiv Detail & Related papers (2025-03-04T08:43:38Z) - Living off the Analyst: Harvesting Features from Yara Rules for Malware Detection [50.55317257140427]
A strategy used by malicious actors is to "live off the land," where benign systems are used and repurposed for the malicious actor's intent.<n>We show that this is plausible via YARA rules, which use human-written signatures to detect specific malware families.<n>By extracting sub-signatures from publicly available YARA rules, we assembled a set of features that can more effectively discriminate malicious samples.
arXiv Detail & Related papers (2024-11-27T17:03:00Z) - MASKDROID: Robust Android Malware Detection with Masked Graph Representations [56.09270390096083]
We propose MASKDROID, a powerful detector with a strong discriminative ability to identify malware.
We introduce a masking mechanism into the Graph Neural Network based framework, forcing MASKDROID to recover the whole input graph.
This strategy enables the model to understand the malicious semantics and learn more stable representations, enhancing its robustness against adversarial attacks.
arXiv Detail & Related papers (2024-09-29T07:22:47Z) - If It Looks Like a Rootkit and Deceives Like a Rootkit: A Critical Examination of Kernel-Level Anti-Cheat Systems [0.0]
This paper systematically evaluates the extent to which kernel-level anti-cheat systems mirror the properties of rootkits.
Our analysis shows two of the four anti-cheat solutions exhibiting rootkit-like behaviour, threatening the privacy and the integrity of the system.
arXiv Detail & Related papers (2024-08-01T12:10:03Z) - Understanding crypter-as-a-service in a popular underground marketplace [51.328567400947435]
Crypters are pieces of software whose main goal is to transform a target binary so it can avoid detection from Anti Viruses (AVs) applications.
The crypter-as-a-service model has gained popularity, in response to the increased sophistication of detection mechanisms.
This paper provides the first study on an online underground market dedicated to crypter-as-a-service.
arXiv Detail & Related papers (2024-05-20T08:35:39Z) - The Reversing Machine: Reconstructing Memory Assumptions [2.66610643553864]
A malicious kernel-level driver can bypass OS-level anti-virus mechanisms easily.
We present textitThe Reversing Machine (TRM), a new hypervisor-based memory introspection design for reverse engineering.
We show that TRM can detect each threat and that, out of 24 state-of-the-art AV solutions, only TRM can detect the most advanced threats.
arXiv Detail & Related papers (2024-05-01T03:48:22Z) - GuardFS: a File System for Integrated Detection and Mitigation of Linux-based Ransomware [8.576433180938004]
GuardFS is a file system-based approach to investigate the integration of detection and mitigation of ransomware.
Using a bespoke overlay file system, data is extracted before files are accessed.
Models trained on this data are used by three novel defense configurations that obfuscate, delay, or track access to the file system.
arXiv Detail & Related papers (2024-01-31T15:33:29Z) - Beyond Control: Exploring Novel File System Objects for Data-Only Attacks on Linux Systems [15.913967348814323]
We semi-automatically discover and evaluate exploitable non-control data within the file subsystem of the Linux kernel.
We use 18 real-world CVEs to evaluate the exploitability of the file system objects using various exploit strategies.
We develop 10 end-to-end exploits using a subset of CVEs against the kernel with all state-of-the-art mitigations enabled.
arXiv Detail & Related papers (2024-01-31T06:16:00Z) - DRSM: De-Randomized Smoothing on Malware Classifier Providing Certified
Robustness [58.23214712926585]
We develop a certified defense, DRSM (De-Randomized Smoothed MalConv), by redesigning the de-randomized smoothing technique for the domain of malware detection.
Specifically, we propose a window ablation scheme to provably limit the impact of adversarial bytes while maximally preserving local structures of the executables.
We are the first to offer certified robustness in the realm of static detection of malware executables.
arXiv Detail & Related papers (2023-03-20T17:25:22Z) - Mate! Are You Really Aware? An Explainability-Guided Testing Framework
for Robustness of Malware Detectors [49.34155921877441]
We propose an explainability-guided and model-agnostic testing framework for robustness of malware detectors.
We then use this framework to test several state-of-the-art malware detectors' abilities to detect manipulated malware.
Our findings shed light on the limitations of current malware detectors, as well as how they can be improved.
arXiv Detail & Related papers (2021-11-19T08:02:38Z) - Adversarial EXEmples: A Survey and Experimental Evaluation of Practical
Attacks on Machine Learning for Windows Malware Detection [67.53296659361598]
adversarial EXEmples can bypass machine learning-based detection by perturbing relatively few input bytes.
We develop a unifying framework that does not only encompass and generalize previous attacks against machine-learning models, but also includes three novel attacks.
These attacks, named Full DOS, Extend and Shift, inject the adversarial payload by respectively manipulating the DOS header, extending it, and shifting the content of the first section.
arXiv Detail & Related papers (2020-08-17T07:16:57Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.