Finding Rootkits By Monitoring For 'Black Sheep'

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/security-monitoring/167901086/security/security-management/240077564/finding-rootkits-by-monitoring-for-black-sheep.html

Dark Reading
Nov 09, 2012

A distributed system of monitoring groups of computers using the same 
operating-system configuration can detect the changes wrought by 
rootkits following infection, a group of security researchers from the 
University of California at Santa Barbara reported in a recent paper.

Inspired by the homogenous nature of corporate networks, the computer 
scientists developed a system, dubbed Blacksheep, that can monitor the 
kernel memory dumps of a large number of systems for changes that may 
indicate a compromise. The technique, which requires no signatures or 
foreknowledge of the attacker's code, could help companies detect 
attacks that other defensive measures fail to identify, says Christopher 
Kruegel, associate professor in the Department of Computer Science at 
UCSB and a co-author of the research paper on the system.

"We are not solving the general malware problem, but against the 
important crop of kernel-level rootkits and kernel-level modifications 
and exploits, it is a very powerful and very robust and general tool," 
he says.

The research (PDF), presented at last month's ACM Conference on Computer 
and Communications Security, demonstrated that in a cloud provider's 
network of virtual machines, the technique works extremely well, but it 
has significant challenges to overcome in a real-world network of 
employee workstations.

[...]


______________________________________________
Visit the InfoSec News Security Bookstore
Best Selling Security Books and More!
http://www.shopinfosecnews.org