Last December, I blogged about the AVAR 2006 conference where I presented my paper on kernel malware. Finally, we are able to provide the material for our readers. Both the paper and slides are available in PDF format.
The paper – "Kernel Malware: The Attack from Within" – is about kernel malware, explaining what they are, how they work, and what makes their detection and removal challenging. It also looks at two interesting malware cases utilizing kernel-mode techniques to avoid detection and to bypass personal firewalls.
An important part of the paper was a statistical analysis run over a large sample set to investigate how the kernel malware trend has changed over the years. Details for the analysis can be found from the paper but I thought it would be nice also to post the results here. Below, we have two graphs demonstrating the change in kernel malware trends since year 2003 onwards.
The first graph shows how the number of kernel-mode driver samples has changed over the years. This data includes different variants of the same family. A more interesting graph is shown below, which illustrates the cumulative number of malware families utilizing kernel-mode components.
From these two graphs we can easily see how the trend has changed dramatically at the end of the year 2004. This is mostly explained by the increased number of malware starting to use kernel-mode rootkits to hide their presence on the compromised system.
Today, kernel-mode rootkits are much more common than their user-mode counterparts. There are many reasons for this. Kernel-mode rootkits are more powerful thus they are able to hide better. Documentation with examples and fully working source code is easily available – there are even books available that explain in detail how to write your own kernel-mode rootkit. Implementing a full-flexed user-mode rootkit is a complex task. It seems that for malware authors, it is much easier just to upgrade their user-mode malware with a cut-and-paste kernel-mode rootkit.