Modern Operating Systems by Herbert Bos ...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Showing 711-712 out of 1137
Modern Operating Systems by Herbert Bos and Andrew...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Modern Operating Systems by Herbert...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Page 711
Spyware should not be confused with
, in which legitimate (but small)
software vendors offer two versions of their product: a free one with ads and a paid
one without ads. These companies are very clear about the existence of the two
versions and always offer users the option to upgrade to the paid version to get rid
of the ads.
9.9.5 Rootkits
is a program or set of programs and files that attempts to conceal its
existence, even in the face of determined efforts by the owner of the infected ma-
chine to locate and remove it. Usually, the rootkit contains some malware that is
being hidden as well.
Rootkits can be installed by any of the methods discussed so
far, including viruses, worms, and spyware, as well as by other ways, one of which
will be discussed later.
Types of Rootkits
Let us now discuss the five kinds of rootkits that are currently possible, from
bottom to top. In all cases, the issue is: where does the rootkit hide?
Firmware rootkits.
In theory at least, a rootkit could hide by re-
flashing the BIOS with a copy of itself in there. Such a rootkit would
get control whenever the machine was booted and also whenever a
BIOS function was called. If the rootkit encrypted itself after each use
and decrypted itself before each use, it would be quite hard to detect.
This type has not been observed in the wild yet.
Hypervisor rootkits.
An extremely sneaky kind of rootkit could run
the entire operating system and all the applications in a virtual ma-
chine under its control. The first proof-of-concept,
blue pill
(a refer-
ence to a movie called
The Matrix
), was demonstrated by a Polish
hacker named Joanna Rutkowska in 2006.
This kind of rootkit usual-
ly modifies the boot sequence so that when the machine is powered
on it executes the hypervisor on the bare hardware, which then starts
the operating system and its applications in a virtual machine. The
strength of this method, like the previous one, is that nothing is hid-
den in the operating system, libraries, or programs, so rootkit detec-
tors that look there will come up short.
Kernel rootkits.
The most common kind of rootkit at present is one
that infects the operating system and hides in it as a device driver or
loadable kernel module. The rootkit can easily replace a large, com-
plex, and frequently changing driver with a new one that contains the
old one plus the rootkit.

Page 712
SEC. 9.9
Library rootkits.
Another place a rootkit can hide is in the system
library, for example, in
in Linux. This location gives the malware
the opportunity to inspect the arguments and return values of system
calls, modifying them as need be to keep itself hidden.
Application rootkits.
Another place to hide a rootkit is inside a large
application program, especially one that creates many new files while
running (user profiles, image previews, etc.).
These new files are
good places to hide things, and no one thinks it strange that they exist.
The five places rootkits can hide are illustrated in Fig. 9-31.
Figure 9-31.
Five places a rootkit can hide.
Rootkit Detection
Rootkits are hard to detect when the hardware, operating system, libraries, and
applications cannot be trusted. For example, an obvious way to look for a rootkit is
to make listings of all the files on the disk. However, the system call that reads a
directory, the library procedure that calls this system call, and the program that
does the listing are all potentially malicious and might censor the results, omitting
any files relating to the rootkit. Nevertheless, the situation is not hopeless, as de-
scribed below.
Detecting a rootkit that boots its own hypervisor and then runs the operating
system and all applications in a virtual machine under its control is tricky, but not
impossible. It requires carefully looking for minor discrepancies in performance
and functionality between a virtual machine and a real one. Garfinkel et al. (2007)
have suggested several of them, as described below. Carpenter et al. (2007) also
discuss this subject.
One whole class of detection methods relies on the fact that hypervisor itself
uses physical resources and the loss of these resources can be detected. For ex-
ample, the hypervisor itself needs to use some TLB entries, competing with the
virtual machine for these scarce resources.
A detection program could put pressure

Ace your assessments! Get Better Grades
Browse thousands of Study Materials & Solutions from your Favorite Schools
Concordia University
Great resource for chem class. Had all the past labs and assignments
Leland P.
Santa Clara University
Introducing Study Plan
Using AI Tools to Help you understand and remember your course concepts better and faster than any other resource.
Find the best videos to learn every concept in that course from Youtube and Tiktok without searching.
Save All Relavent Videos & Materials and access anytime and anywhere
Prepare Smart and Guarantee better grades

Students also viewed documents