Share on Facebook Tweet on Twitter Share on LinkedIn Share by email
Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files

Yi-Min Wang, Binh Vo, Roussi Roussev, Chad Verbowski, and Aaron Johnson

Abstract

File hiding is an advanced stealth technique that is becoming popular among system monitoring software such as RootKits, Trojans, and keyloggers. It presents a major challenge to system administrators and the anti-malware industry because detection and removal are virtually impossible if the target files are not even visible. In this paper, we present the Strider GhostBuster that exploits the fundamental weakness of the file-hiding behavior and turns the problem into its own solution. We have tested this diff-based tool successfully in the lab against several real-world system monitoring programs. The simplicity and effectiveness of the approach suggest that the following quote on the Internet may no longer be true: “When you can get the dir command to lie, it’s all over.” In the post-GhostBuster world: “The best way to hide is not trying to hide.” [February 23, 2005: note that Strider GhostBuster uses a “cross-view diff” technique, which is very different from the usual “cross-time diff against known good” approach. Please see the new technical report titled “Detecting Stealth Software with Strider GhostBuster” posted at http://research.microsoft.com/rootkit for a detailed discussion.]

Details

Publication typeTechReport
NumberMSR-TR-2004-71
Pages15
InstitutionMicrosoft Research
> Publications > Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files