Researchers at the University of California at Santa Barbara have developed a technique for detecting changes caused by rootkits after infection. Could you explain how this rootkit detection technique works? Can it be deployed in an enterprise environment right now?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Researchers at the University of California at Santa Barbara presented a paper at the ACM Computer and Communications Conference that describes how Blacksheep can be used to detect changes or infections caused by a rootkit. The Blacksheep technique allows a system administrator to take a live memory dump from a managed system using a special driver. This dump is used to analyze the executing processes on the system to identify potential files executing in memory that may be malware. Blacksheep works in a similar fashion as file integrity checking, but the integrity and memory analysis checks are performed across a number of different systems to identify which, if any, files or memory dump data differ between the systems to potentially identify suspicious files.
One of the biggest challenges with implementing Blacksheep is the amount of homogeneity required from the endpoints to effectively identify changes made to or malware located in the memory of compromised systems. In many corporate environments, though, there is significant homogeneity, so these techniques offer new options for incident response. Blacksheep could also be used on servers or potentially any type of homogenously configured systems to identify malware or suspicious executables.
The Blacksheep technique could be used in the place of file integrity monitoring, which takes computer resources and time. Blacksheep could also be deployed to a wide number of systems to identify infected systems with minimal false positives caused by the environment.
This was first published in April 2013