A comparative analysis of rootkit detection techniques.

A rootkit is a type of malware that is designed to gain administrator-level control over a computer system while hiding itself from the user and the operating system, by compromising the communication channels within the operating system. A well-designed rootkit can hide files, data, processes, and network ports, and can typically survive a system restart. The effect of this stealthy design allows the rootkit to perform malicious activities such as keystroke logging or give a remote attacker control of the infected system. Even though current rootkits are extremely stealthy, there still exist a number of techniques that have been developed to detect their presence. These techniques include signature-based detection, heuristic or behavior-based detection, host integrity monitoring, and network-based detection. This thesis will compare the operation of different types of detection methods against several of the most common rootkits that are currently affecting Windows-based systems.