Woburn, MA – April 8, 2014 - Kaspersky Lab has obtained a patent for a method of detecting malware that has been masked by rootkits – special programs capable of altering the outcomes of system functions. Patent no. 8677492, issued by the US Patent and Trademark Office, describes the operation of a security solution with a special module that duplicates some functions of the operating system’s (OS) kernel. This ensures that the security solution has reliable information even if the OS is infected with a rootkit.
Cybercriminals use rootkits to prevent security solutions from detecting malicious programs such as Trojans. To do this, a rootkit masquerades as a legal driver, integrates with the OS kernel, intercepts system function calls from applications and modifies the results of their operation, deleting any references to files and processes related to the Trojan. This means the presence of malicious code can be masked – a dangerous program becomes invisible to the user and to other applications.
The patent obtained by Kaspersky Lab describes an auxiliary module that duplicates the critical functions of the OS kernel, such as handling files, process control, reading registry records, etc.
The main application of the module is to detect objects masked by a rootkit. The security solution does this by requesting a list of files or running processes through the main kernel while simultaneously sending an identical request through the auxiliary module. A comparison of the returned data helps identify objects that are absent from the list returned by the OS kernel.
If the two lists are not identical, this indicates that a rootkit is active in the system and the security solution can perform actions to neutralize suspicious objects.
The algorithm for using the auxiliary kernel can be configured as required. For example, on a home computer a scan can be launched when other security subsystems flag an object’s suspicious behavior – this will save resources. In a corporate environment requiring a higher level of security, the control can be used on a continuous basis.
This method of detecting malicious code that conceals its presence in the system has been implemented in Kaspersky Lab’s home and corporate products, including Kaspersky Internet Security, Kaspersky PURE and Kaspersky Endpoint Security for Business.
Kaspersky Lab holds an extensive patent portfolio. As of late March 2014, Kaspersky Lab holds 197 patents issued in the USA, Russia, the European Union and China. A further 248 patent applications are being reviewed by the appropriate authorities.
Vyacheslav Rusakov, Malware Expert and author of the patent
“Masking malware programs with the help of rootkits makes it much more difficult for anti-malware solutions to detect threats. This newly patented technology provides a reliable method to identify objects that are disguised in the system, helping counteract the most dangerous attacks.”
About Kaspersky Lab
Kaspersky Lab is the world’s largest privately held vendor of endpoint protection solutions. The company is ranked among the world’s top four vendors of security solutions for endpoint users*. Throughout its more than 16-year history Kaspersky Lab has remained an innovator in IT security and provides effective digital security solutions for large enterprises, SMBs and consumers. Kaspersky Lab, with its holding company registered in the United Kingdom, currently operates in almost 200 countries and territories across the globe, providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
* The company was rated fourth in the IDC rating Worldwide Endpoint Security Revenue by Vendor, 2011. The rating was published in the IDC report "Worldwide Endpoint Security 2012–2016 Forecast and 2011 Vendor Shares (IDC #235930, July 2012). The report ranked software vendors according to earnings from sales of endpoint security solutions in 2011.
For the latest in-depth information on security threat issues and trends, please visit:
Securelist | Information about Viruses, Hackers and Spam
Follow @Securelist on Twitter
Threatpost | The First Stop for Security News
Follow @Threatpost on Twitter