Content area
Full text
ABSTRACT
Modern malware and spyware platforms attack existing antivirus solutions and even MicrosoftPatcliGuard. To protect users and business systems, new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPLTs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.
Keywords: memory protection; tracking memory access; information leakage; kernel integrity; hypervisor
1. INTRODUCTION
Modern malware attacks on Windows machines are becoming increasingly sophisticated and extremely difficult to detect. Newest integrated security mechanisms on the modern Windows 10 x64 such as Kernel Mode Code Signing (KMCS) and Kernel Patch Protection (KPP), also known as PatchGuard, are unable to prevent malicious activity.
Modern malware attacks are 'surgical' and infect networks of huge organizations even when their computers, have never been connected to the Internet - 'air-gapped1 computers' (Paganini, 2014). Let us consider some recent incidents with the following malware: Turla rootkit, which remained undiscovered for at least three years and ProjectSauron, which has never been stored on a disk.
According to the security response by Symantec, Turla trojan which was created by the Waterbug hackers group successfully compromised more than 4,500 computers from 100 countries (Symantec, 2016). Even the Swiss Federal Department of Defense (GovCERT, 2016) was under a cyberespionage attack via Turla (Paganini, 2016). This malware remained undiscovered for at least three years due to its stealth features, which helped to overcome both built-in security Windows and anti-virus signature based mechanisms. The authors of Turla root kit proposed a new method to overcome Driver Signature Enforcement. A root kit loads a legitimate signed driver and after that by using its vulnerability loads a malware driver. As a result, it defeats the Driver Signature Enforcement and makes it possible to load any...