Paper accepted at Journal of Information Processing
Sebastian Eresheim, Robert Luh, Sebastian Schrittwieser. The Evolution of Process Hiding Techniques in Malware – Current Threats and Possible Countermeasures. Journal of Information Processing (JIP) – Special issue of “Computer Security Technologies against Sophisticated Cyber Attacks”. 2017
Rootkits constitute a significant threat to modern computing and information systems. Since their first appearance in the early 1990’s they have steadily evolved, adapting to ever-improving security measures. One central aspect rootkits have in common is the ability to hide their malicious presence and activities from the operating system and its legitimate users.
In this paper we systematically analyze process hiding techniques routinely used by rootkit malware. We summarize the characteristics of the different approaches and discuss their advantages and limitations. Furthermore, we assess detection and prevention techniques that have been introduced in operating systems in response to the threat of hidden malware. Our results show that the arms race between rootkit authors and defenders is far from over. At the same time we see a pronounced shift towards powerful VM-based techniques that will continue to evolve over the coming years.