[__Genius__]

Implicit Detection of Hidden Processes with a Feather-Weight Hardware-Assisted Virtual Machine Monitor

I found it at Acm portal,

Process hiding is a commonly used stealth technique which facilitates the evasion from the detection by anti-malware programs. In this paper, we propose a new approach called Aries to implicitly detect the hidden processes. Aries introduces a novel feather-weight hardware-assisted virtual machine monitor (VMM) to obtain the True Process List (TPL). Compared to existing VMM-based approaches, Aries offers three distinct advantages: dynamic OS migration, implicit introspection of TPL and non-bypassable interfaces for exposing TPL. Unlike typical VMMs, Aries can dynamically migrate a booted OS on it. By tracking the low-level interactions between the OS and the memory management structures, Aries is decoupled with the explicit OS implementation information which is subvertable for the privileged malware. Our functionality evaluation shows Aries can detect more process-hiding malware than existing detectors while the performance evaluation shows desktop-oriented workloads achieve 95.2% of native speed on average.

Code: Select all

http://www.sersc.org/journals/IJSIA/vol2_no4_2008/5.pdf

[EP_X0FF]

Table 2. Experimental Results for Libra Hidden Processes Detection. D refers to the tool
has detect the hidden process successfully while F denotes failure of detecting.
Aphex Hacker Defender FU FUTo phide_ex
Blacklight D D D F F
DarkSpy D D D D F
IceSword D D D F F
RkUnhooker D D D D F
Bitdefender Antirootkit D D D D F
UnHackMe D D D F F
GMER D D D D F
KProcCheck D D D D F
Process Hunter D D D F F
TaskInfo D D D F F
Libra D D D D D

This is lie. RkUnhooker as well as GMER is able to detect phide_ex since 2006.

Vol. 2, No. 4, October, 2008

Yes-yes, when it was firstly detected by ProcWalker in October 2006.

[__Genius__]

Yes, of-course a big lie in an international paper (accepted in IEEE !).
related to this topic

Code: Select all

http://forum.sysinternals.com/topic8527_page1.html

Anybody knows some of anti-Rootkits could detect phide_ex since this rootkit appears .

[EP_X0FF]

ProcWalker since 28/10/2006
GMER since November 2006
Rootkit Unhooker since November 2006

+ some more (almost all popular antirootkits can do this).

[Alex]

There isn't any information inside this article about versions of tools they tested, so it looks like they just put in a table information released while publishing individual demo rootkits and this will be true, because phide_ex defeated all ark's in 2006. But as you wrote, phide_ex has been detected about few days after it publishing by mentioned ark's. Anyway, this article has been published in 2008 and now we have 2010, when malware rootkits don't try to hide their processes/threads instead of files and kernel modules/code hiding. So maybe this time they will intercept I/O port access instead of cr3 ;)

[EP_X0FF]

There isn't any information inside this article about versions of tools they tested, so it looks like they just put in a table information released while publishing individual demo rootkits and this will be true

GMER / DarkSpy, RKU and some other were created after FUTo, so this theory can't be taken. Otherwise if we lead this logic, they also "bypassed" by many rootkits.
There is simple explanation of this fake table - crappy self-PR of authors of this "article". Your tool must be best of the best, otherwise there is no point in creating it.