Research And Implementation Of Anti-R/Bootkit Based On Behavior Detection

As a new kind of malware sets, Rootkit has been designed to control the behavior of hijacked computer secretly. The tool program can survive illegally on the designated computer for a long time through covert backdoor or similar program which can also make the user believe his computer is away from inbreak by hiding key relative information while the user consults the current status of his computer. As an advanced form of Rootkit inheriting the kernel-level privilege exploitment and self-concealment technology, Bootkit has interposed a new challenge towards system boot and kernel enterment safety. Because Rootkit/Bootkit(R/Bootkit) belongs to potential dangerous mutation with new technoloy in information security field,, both the industry line and the academe have published their featured research projections.The major contribution and feature of my paper is as follow:(1) R/Bootkit behavior analysis and formal description of the behavior featureWe proposed the behavior feature of entering into kernel maliciously as the bottle-neck of preventing and detecting R/Bootkit and defined a formal description language to descrip this behavior feature throught exploring the hazard principle and technological key point of current major B/Rootkit and the weakness of relying on the user choice when judging the behavior intention for major Anti-B/Rootkit.(2) The designe and implementation of Anti-R/Bootkti prototype system based on the behavior feature of malicious enter into kernelOn this base, we have designed and implemented a set of Anti-R/Bootkti prototype system based on the behavior feature of malicious enter into kernel through utilize the behavior rules and policy descripted by the language mentioned above. This prototype presented better independent identification ability and prevention ability towards unknown R/Bootkit compared with the same kind of commercial Anti-R/Bootkit system.At last we have proposed the new development trend between R/Bootkit and Anti-R/Bootkti and introduced the further work foreground.