Malware exists in many forms and is used to attack many different technologies, including Microsoft’s Windows operating system kernel. Security firm Lastline announced a new capability to detect kernel malware, complemented by a presentation March 17 at the South by Southwest (SXSW) conference on the state of malware.
“There is malware today that injects itself directly into the kernel, and the problem is that it enables the malware to run with high privileges,” Engin Kirda, Lastline co-founder and chief architect, told eWEEK.
Since the kernel malware runs with high privileges, most modern security software and sandboxing techniques fail to detect the malware, making it more difficult to stop it from doing harm, Kirda said.
Kernel malware isn’t the same as rootkit malware although the two can be related, he said, adding that a rootkit is a group of malware tools designed to give an attacker control of a vulnerable system.
“A rootkit doesn’t necessarily have to run in the kernel, so an attacker could write code that runs in user space,” Kirda said. “A rootkit could also potentially run in the kernel.”
Much of the Windows kernel space is read-only in order to prevent unauthorized loading of code, and a user-level program typically cannot write code that will execute in the kernel, he explained.
“Attackers will often use vulnerabilities in the kernel to overwrite the write protection,” Kirda said.
Most modern antivirus software leverages heuristics technologies in order to help identify potential malware, yet in Kirda’s analysis, that’s not enough to find kernel-level malware.
The new Lastline capability to gain visibility into kernel malware is derived from how Lastline performs emulation. Lastline’s Breach Detection Platform leverages the open-source QEMU (Quick EMUlator) with additional modifications and extensions in order to perform full system emulation. Lastline partners and integrates its technology with multiple vendors, including Dell SecureWorks, Blue Coat, Tripwire, Juniper and Barracuda.
With the new Lastline 6.5 release, there is additional visibility and capabilities to see if something is actually being loaded into the kernel, Kirda said.
“Since we’re able to see every single instruction that is executed in the kernel, we can look for malicious behaviors that are indicative of malware,” Kirda said. “So if something ends up in the kernel and does something you would not normally expect to see, we can flag that.”
While Kirda has seen an increase in kernel malware, for the most part, he hasn’t seen it be widely used in automated exploitation tools and kits. Most of the kernel malware attacks that Kirda has seen have been very targeted and were not automated. Now that Lastline has the new deep level of visibility, the company will continue to research new ways of improving the technology to stay one step ahead of attackers, Kirda said.
“We expect that kernel malware will become even more evasive,” Kirda said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.