| Malware hitting the kernel level of the
OS
6 March, 2007
By Vanessa Ho
According to a recent F-Secure Corp. study called
"Kernel Malware: The Attack from Within,"
hackers are starting to use kernel-level malware to
attack at the kernel level of a users' Windows operating
system (OS) instead of attacking at the user mode,
where most malware attacks.
"The use of kernel-level software is growing
and while it is not the majority of malware that we
are seeing, it is a growing trend and dangerous because
it is much more difficult to find than normal malware,"
said Patrik Runald, senior security specialist with
F-Secure.
He added that kernel malware gets onto people systems
like any other malware such as opening an email attachment
from an unknown sender and does similar attack vectors
like keylogging to capture and send out confidential
information.
The only difference is that kernel malware hides
itself from a user's security software program. For
example, a user could ask their anti-virus program
to scan all the files in a particular folder. Windows
would then pass along a list of those files to the
anti-virus program which would scan those files for
any malware.
"What the kernel malware does is it would see
this communication between the security software and
the OS and it would filter out its own files. So when
Windows returns a list of files to the anti-virus
product, files belonging to the malware would be left
out," said Runald.
In addition to hiding from security software, kernel
malware also has the ability to bypass a firewall's
warning system that indicates when a new application
attempts to connect to the Internet.
Runald said that kernel malware comprised about five
per cent of all malware that F-Secure reported last
year and only started to become an increasing problem
over the last 12 to 18 months. The reason for its
increase, said Runald, is that its source code is
readily available on the Internet so attackers can
just insert a kernel-level code to existing malware.
Runald said the best way to prevent kernel malware
from entering a user's system is not to open any attachments
from unknown emails or suspect links, the same advice
he would give to prevent normal malware from attacking
a system. As well, he added that users should run
the latest version of a user's security product to
combat kernel malware that is already on a system.
The latest security products from F-Secure, Symantec
and McAfee all have the ability to scan for rootkits
and kernel-level malware.
But, unfortunately, the security expert said that
not all companies are running the latest and greatest
security software, which only increases the prevalence
of kernel malware.
"What we are seeing is more advanced kernel-level
malware that is more difficult for us to detect and
we see a development happening in the kernel- level
space where the bad guys are trying to make it more
difficult for us to update products and do certain
tricks to detect them. It is going to get worse before
it gets better," said Runald.
|
