Kaspersky Lab Patents Method for Detecting Malware That Conceals its Presence in the System
Woburn, MA – April 8, 2014 - Kaspersky Lab has obtained a patent for a method of detecting
malware that has been masked by rootkits – special programs capable of altering
the outcomes of system functions. Patent no. 8677492, issued by the US Patent and
Trademark Office, describes the operation of a security solution with a special
module that duplicates some functions of the operating system’s (OS) kernel.
This ensures that the security solution has reliable information even if the OS
is infected with a rootkit.
use rootkits to prevent security solutions from detecting malicious programs
such as Trojans. To do this, a rootkit masquerades as a legal driver,
integrates with the OS kernel, intercepts system function calls from
applications and modifies the results of their operation, deleting any
references to files and processes related to the Trojan. This means the
presence of malicious code can be masked – a dangerous program becomes
invisible to the user and to other applications.
obtained by Kaspersky Lab describes an auxiliary module that duplicates the
critical functions of the OS kernel, such as handling files, process control,
reading registry records, etc.
application of the module is to detect objects masked by a rootkit. The
security solution does this by requesting a list of files or running processes
through the main kernel while simultaneously sending an identical request
through the auxiliary module. A comparison of the returned data helps identify
objects that are absent from the list returned by the OS kernel.
If the two lists
are not identical, this indicates that a rootkit is active in the system and
the security solution can perform actions to neutralize suspicious objects.
for using the auxiliary kernel can be configured as required. For example, on a
home computer a scan can be launched when other security subsystems flag an
object’s suspicious behavior – this will save resources. In a corporate
environment requiring a higher level of security, the control can be used on a
holds an extensive patent portfolio. As of late March 2014, Kaspersky Lab holds
197 patents issued in the USA, Russia, the European Union and China. A further 248
patent applications are being reviewed by the appropriate authorities.
Vyacheslav Rusakov, Malware Expert and author of the patent Kaspersky Lab “Masking malware
programs with the help of rootkits makes it much more difficult for
anti-malware solutions to detect threats. This newly patented technology
provides a reliable method to identify objects that are disguised in the
system, helping counteract the most dangerous attacks.”
Kaspersky Lab Kaspersky Lab is the world’s largest privately held vendor of endpoint
protection solutions. The company is ranked among the world’s top four vendors
of security solutions for endpoint users*. Throughout its more than 16-year
history Kaspersky Lab has remained an innovator in IT security and provides
effective digital security solutions for large enterprises, SMBs and consumers.
Kaspersky Lab, with its holding company registered in the United Kingdom,
currently operates in almost 200 countries and territories across the globe,
providing protection for over 300 million users worldwide. Learn more at www.kaspersky.com.
* The company was rated fourth in the IDC rating
Worldwide Endpoint Security Revenue by Vendor, 2011. The rating was published
in the IDC report "Worldwide Endpoint Security 2012–2016 Forecast and 2011
Vendor Shares (IDC #235930, July 2012). The report ranked software vendors
according to earnings from sales of endpoint security solutions in 2011.
For the latest in-depth information on security
threat issues and trends, please visit: