Search Quality & Cyber-Intelligence Lab (SQ-CIL)
Double-Funnel: Connecting Web Spammers with Advertisers
Strider GhostBuster detects API-hiding rootkits by doing a "cross-view diff"
between "the truth" and "the lie". It's not based on a known-bad signature, and
it does not rely on a known-good state.
It targets the fundamental weakness of hiding rootkits, and turns the hiding behavior into its own detection mechanism.
There are three versions of Strider GhostBusters:
- WinPE GhostBuster:
- Inside-the-box GhostBuster
- It detects hidden files by comparing a Win32 API scan with Master File Table parsing,
detects hidden Registry entries by comparing a Win32 API scan with direct Registry hive file parsing,
and detects hidden processes by comparing a Win32 API scan with direct traversals of the active process list and other kernel data structures.
- See our December 2004 submission to DSN'05
"Detecting Stealth Software with Strider GhostBuster" for more details.
- User-Mode GhostBuster
released on February 22, 2005,
implements the same hidden-file and hidden-Registry detection techniques
used in the Inside-the-box GhostBuster (which includes additional hidden-process and
hidden-module detection techniques).
- Simple steps you can take to detect some of today's ghostware:
- Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS
and save the results.
- Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive,
and save the results.
- Run a clean version of WinDiff from the CD on the two sets of results to detect file-hiding
ghostware (i.e., invisible inside, but visible from outside). See
Hacker Defender ghostware files revealed (highlighted) for an example.
- Note: there will be some false positives. Also, this does not detect stealth
software that hides in BIOS, Video card EEPROM, disk bad sectors,
Alternate Data Streams, etc.
- Rootkit-protected Spyware
- Spyware turning into Ghostware
- Yi-Min Wang, Roussi Roussev, Chad Verbowski, Aaron Johnson, Ming-Wei Wu,
Yennun Huang, and Sy-Yen Kuo,
"Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware Management",
in Proc. Usenix LISA, 2004
- Yi-Min Wang, Roussi Roussev, Chad Verbowski, Aaron Johnson, and David Ladd,
"AskStrider: What Has Changed on My Machine Lately?",
Microsoft Research Technical Report MSR-TR-2004-03, Jan. 2004.
- Yi-Min Wang, Binh Vo, Roussi Roussev, Chad Verbowski, and Aaron Johnson,
"Strider GhostBuster: Why It\’s A Bad Idea For Stealth Software To Hide Files",
Microsoft Research Technical Report MSR-TR-2004-71, July 2004.
- Yi-Min Wang, Doug Beck, Binh Vo, Roussi Roussev, and Chad Verbowski,
"Detecting Stealth Software with Strider GhostBuster,"
Microsoft Research Technical Report MSR-TR-2005-25, February 21, 2005
(submitted to DSN-2005 on December 13, 2004).
Int. Conf. on Dependable Systems and Networks (DSN-DCCS),
- Yi-Min Wang and Doug Beck,
"How to \"Root\" a Rootkit That Supports Root Processes
Using Strider GhostBuster Enterprise Scanner,"
Microsoft Research Technical Report MSR-TR-2005-21, February 11, 2005.