Develop a Research Problem Statement and Justification

Rootkits
Name:
Institution:
Course:
Date:
Introduction
Computer security is plays part of the most important element of any network. This is relative to the level and complexity of attacks on the data integrity and that of any organization. There various elements of threats and among them are rootkit malwares. These are computer programs that take control of the computer resources without the consent of the user. There are three main modes of rootkits and they are categorized in reference to their level of operation. User mode rootkits operate at the user level of operations as they interact with applications. The kernel mode rootkits are known to operate within the kernel of the operating system, while the master boot record rootkit operate at the bios level of motherboard instructions. There are a number of rootkit removal tools and can be used to remove some of the malware. However, this is also an aspect that comes with various challenges and the technical teams have to be ready to resolve them and come up with the best solution.
Rootkits
Rootkits are programs that take the form of malware on a computer. As the name suggests, they are software designed to take administrative control of the PC without the consent of the user. Bundled with other software, the rootkits will install itself on the computer and will operate in a clandestine manner, where the user will not know they have a malicious program underneath their programs (Cucu, 2018). Given the administrative control of the computer resources, they can track all the processes that the user interacts with on the operating system and even on the side of the program installed and running. Simply put, they will easily scan through the user’s internet requests, record keystrokes, open programs, control hardware among other resources without the consent of the user. They are stealthy, as they can hide their behavior using a technique that is referred to as Direct Kernel Object Manipulation. As Bencsáth, Pék, Buttyán and Félegyházi indicated in their paper The Cousins of Stuxnet: Duqu, Flame, and Gauss, windows uses a double-linked list to represent system resources such as timers, threads and processes among others (Bencsáth, Pék, Buttyán & Félegyházi, 2012). DKOM operates in such a manner to unlink the listed objects and then present its own processes by modifying the list. This means that, it is becomes invisible to tools such as the task manager. Because scheduling in Windows works at the threads level, the invisible processes are still executed and ran (Bencsáth, Pék, Buttyán & Félegyházi, 2012). This is a technique that is associated with the brilliance of one Jamie Butler, who developed the infamous FU rootkit. However, there is a major weakness in the technique and this relates to the weakness associated with Kernel-level data structures. They tend to be fragile and change between different OS releases and as such, when the processes of the rootkit are running they cause system instability and constantly reboot the PC (Bencsáth, Pék, Buttyán & Félegyházi, 2012).
User Mode Rootkits
There are three main categories of rootkits namely, user mode, kernel mode and Master Boot Record rootkits. The User mode rootkits involve hooking in the application or user space. Whenever an application makes call to the system, the system call takes on a predetermined path. It along the path that the rootkit then hijacks the process (Symantec Security Response, 2005). It is important to note that this can happen at myriads of points along the path, making it quite complex. Commonly user mode rootkits will modify memory of system DLLs. In a nut shell, when an application calls for a Windows API say, RegEnumKey, to enumerate registry keys, the rootkit will find the location of the code, which in this case is at ADVAPI32.DLL and modify it. This way when the API is called the execution will then be redirected to the code of the rootkit instead, running it. In most of the cases, the rootkit will even modify the returning results after calling the API, before the said results get back to the application.
Kernel Mode Rootkits
As the name suggests, the kernel mode rootkits are associated with the modification of the kernel spaces. Normally, the kernel is a safe space as one has to have the rights to not only modify but even view the memory. However, given it is the lowest level in the system, it presents a very reliable place for rootkit hooking. At the very basic the rootkit will modify the MSR proxy that exists between the user mode and the kernel mode. This way it causes the gate between the two modes to redirect the execution to the kernel rootkit instead of going to the original code in the kernel. The kernel mode rootkits are also known to modify the SSDT and redirect all the executions to its code. Much like in the user mode, the rootkit will also make the original system calls and then before the results are passed back to the application, it removes itself. Lastly...