Strider GhostBuster: Why It’s A Bad Idea For Stealth Software To Hide Files

  • Yi-Min Wang ,
  • Binh Vo ,
  • Roussi Roussev ,
  • Chad Verbowski ,
  • Aaron Johnson

MSR-TR-2004-71 |

File hiding is an advanced stealth technique that is becoming popular among system monitoring software such as RootKits, Trojans, and keyloggers. It presents a major challenge to system administrators and the anti-malware industry because detection and removal are virtually impossible if the target files are not even visible. In this paper, we present the Strider GhostBuster that exploits the fundamental weakness of the file-hiding behavior and turns the problem into its own solution. We have tested this diff-based tool successfully in the lab against several real-world system monitoring programs. The simplicity and effectiveness of the approach suggest that the following quote on the Internet may no longer be true: “When you can get the dir command to lie, it’s all over.” In the post-GhostBuster world: “The best way to hide is not trying to hide.”