Kaspersky Lab

TheSamaritan

Kaspersky Lab has obtained a patent for a method ofdetecting malware that has been masked by rootkits – special programs capableof altering the outcomes of system functions. Patent no. 8677492 issued by the US Patent andTrademark Office describes the operation of a security solution with a specialmodule that duplicates some functions of the operating system’s kernel, so thesecurity solution has reliable information even if the OS is infected with arootkit.

Cybercriminals use rootkits to prevent securitysolutions detecting malicious programs such as Trojans. To do this a rootkitmasquerades as a legal driver, integrates with the OS kernel, intercepts systemfunction calls from applications and modifies the results of their operation,deleting any references to files and processes related to the Trojan. This meansthe presence of malicious code can be masked – a dangerous program becomesinvisible to the user and to other applications.

The patent obtained by Kaspersky Lab describes anauxiliary module that duplicates the critical functions of the OS kernel, suchas handling files, process control, reading registry records etc.

The main application of the module is to detectobjects masked by a rootkit. The security solution does so by requesting a listof files or running processes through the main kernel, and simultaneously sendsan identical request through the auxiliary module. A comparison of the returneddata helps identify objects that are absent from the list returned by the OSkernel.

If the two lists are not identical, this indicatesthat a rootkit is active in the system, and the security solution can performactions to neutralize suspicious objects.

The algorithm for using the auxiliary kernel can beconfigured as required. For example, on a home computer a scan can be launchedwhen other security subsystems flag an object’s suspicious behavior – this willsave resources. In a corporate environment requiring a higher level of security,the control can be used on a continuous basis.

“Masking malware programs with the help of rootkits makesit much more difficult for anti-malware solutions to detect threats. This newlypatented technology provides a reliable method to identify objects that aredisguised in the system, helping counteract the most dangerous attacks,”commented Vyacheslav Rusakov, Malware Expertat Kaspersky Lab and author of the patent.

This method of detecting malicious code that conceals its presence inthe system has been implemented in Kaspersky Lab’s home and corporate products,including Kaspersky Internet Security,Kaspersky PURE and Kaspersky Endpoint Security forBusiness.

Kaspersky Lab holds an extensive patentportfolio. As of mid-March 2014, Kaspersky Lab holds 197 patents issued in the USA,Russia, the European Union and China. A further 248 patent applications arebeing reviewed by the appropriate authorities.