Researchers at the University of California at Santa Barbara have developed a technique for detecting changes caused...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
by rootkits after infection. Could you explain how this rootkit detection technique works? Can it be deployed in an enterprise environment right now?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Researchers at the University of California at Santa Barbara presented a paper at the ACM Computer and Communications Conference that describes how Blacksheep can be used to detect changes or infections caused by a rootkit. The Blacksheep technique allows a system administrator to take a live memory dump from a managed system using a special driver. This dump is used to analyze the executing processes on the system to identify potential files executing in memory that may be malware. Blacksheep works in a similar fashion as file integrity checking, but the integrity and memory analysis checks are performed across a number of different systems to identify which, if any, files or memory dump data differ between the systems to potentially identify suspicious files.
One of the biggest challenges with implementing Blacksheep is the amount of homogeneity required from the endpoints to effectively identify changes made to or malware located in the memory of compromised systems. In many corporate environments, though, there is significant homogeneity, so these techniques offer new options for incident response. Blacksheep could also be used on servers or potentially any type of homogenously configured systems to identify malware or suspicious executables.
The Blacksheep technique could be used in the place of file integrity monitoring, which takes computer resources and time. Blacksheep could also be deployed to a wide number of systems to identify infected systems with minimal false positives caused by the environment.
Dig Deeper on Penetration testing, ethical hacking and vulnerability assessments
Related Q&A from Nick Lewis
Researchers have developed an ASLR Cache side-channel attack that enables them to eliminate ASLR protections. Expert Nick Lewis explains how ...continue reading
The SQL Slammer worm has re-emerged to attack a vulnerability in Microsoft SQL Server 2000. Expert Nick Lewis explains what enterprises can do to ...continue reading
The Fruitfly Mac malware has decades-old code, but has been conducting surveillance attacks for over two years without detection. Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.