Evaluation of Open Source Anti-Rootkit Tools

Evaluation of Open Source Anti-Rootkit Tools Sandeep Romana, Amit Kumar Jha, Himanshu Pareek, P.R.L Eswari Center for Development of Advanced Computing Hyderabad, India {sandeepr, amitj, himanshup, prleswari}@cdac.in

Abstract— Rootkits belong to the family of malware that infect the systems in stealth. We studied different system subversion techniques used by rootkits on Windows platform. Then we identified thirteen operating system parameters to scan for rootkit infection. This paper evaluates the capabilities of open source anti-rootkits using these parameters. Keywords—anti-rootkit, open source, rootkit, testing

I.

INTRODUCTION

Rootkit is a set of tools that helps the attacker to hide its presence to maintain previously gained root access, bypassing the systems security policies, without user’s intervention and authorization. Objective of this work is to observe general rootkit behavior patterns and evaluate techniques available in open source to mitigate them. Open source community has given number of advanced software’s and tools in the field of security and privacy such as antiviruses, intrusion detection systems etc., but when we evaluated open source anti-rootkit tools (OSATs) it seems that open source community is way behind closed source or commercial software’s. The rest of this paper is structured as follows. Background discussion is done in Section 2. Section 3 discusses techniques used by rootkits to hide from detection. Anti-Rootkit tools are presented in section 4 and the experimental setup is given in section 5. Feature comparison of free and open source antirootkits is given in section 6 along with complete comparison of the detection capabilities. Conclusion is presented in section 7. II.

BACKGROUND

We evaluated OSATs against demo and live rootkits and then compared OSATs with free anti-rootkit tools (FATs). The testing research process identifies different infection points exploited by rootkits and how many are unleashed by antirootkit tools. We found a single instance of comparison of antirootkit software’s in the past as on the date of writing, but none has been found comparing the OSATs. Alex of ntinternals.org [35] evaluated free and commercial software’s only. The free tools that he has evaluated are similar to those we chose with the only difference being that his comparison includes all the free tools whereas ours include only the tools that fitted our criteria. Moreover Alex’s has used his own developed Invisible Driver v1.0, Invisible Dll v1.1 and Invisible Process v1.0 for comparative analysis rather than using live rootkit samples.

III.

SYSTEM SUBVERTING TECHNIQUES

In this section we classify various hooking techniques that rootkits target to hide there presence on the sytem. Fig. 1 shows these hooks within in windows architecture. Our classification is based upon Bill Blunden’s classification who list out call tables such as IAT (Import Address Table) in user space and IDT (Interrupt Descriptor Table), GDT (Global Descriptor Table), CPU MSR’s (Model Specific registers), SSDT (System Service Descriptor Table) and IRP dispatch table in kernel space that can be hooked [1]. According to Bill Blunden rootkits can be classified based on eleven different code and data structures (software constructs) that rootkits can modify in user and kernel space to remain hidden on a system[1]. Based upon these software constructs we extract important OS parameters which need to be monitored to identify rootkit presence on the system. Following paragraphs explains the hooking methods. A. IAT hook The portable executable (PE) on Microsoft Windows must import the address of the function it uses from DLL [2]. IAT is a table of function pointers filled by windows loader as the DLLs are loaded into executable address space [3]. Jamie Butler and Peter Silberman presents anti-rootkit tool RAIDE and explained how rootkits modify IAT to load rootkit code [4]. FIGURE I. VARIOUS HOOKING POINTS IN WINDOWS

B. IDT hook IDT associates an interrupt handler with each interrupt vector [5]. IDT is the kernel mode counterpart of Interrupt Vector Table (IVT). Hooking IDT helps hook interrupts (e.g. INT 0x2E). Yong Wang and other in their paper discuss about IDT hooking to hide processes etc. [6]. C. SYSENTER hook The SYSENTER instruction was introduced in Intel IA-32 architecture for the purpose of providing a fast mechanism for calling system calls [5, 7]. Hooking SYSENTER allows direct access to the SSDT. By hooking this entry point, a rootkit can filter all system calls without patching SSDT. Rootkit does this by overwriting pointer to code in its own driver [8, 9]. D. SSDT hook SSDT hooking is done to hide process, directory, network connection, and registry keys and trace system calls by hooking various functions such as NtQueryDirectoryFile, NtEnumerateKeyValue etc [1]. www.uninformed.org presents an article about bypassing PatchGuard on Windows on uninformed considers SSDT being the most widely used table being hooked by third party drivers [10]. E. GDT hook Call gate is a special type of GDT descriptor called a system descriptor which is used to invoke routine running in kernel mode from user mode [5]. Crazylord discuss about using \device\PhyscialMemory to install call gate in GDT to gain kernel mode privileges in an article published in Phrack magazine [11]. F. IRP hook Windows device drivers maintain a list of pointers to functions that handle different type of I/O Request Packets (IRPs) [12]. By intercepting the I/O request rootkit can easily hide its files and network communication [13].

IV.

ANTI ROOTKIT TOOLS

We collected OSATs from various sources and extracted maximum possible information about each anti-rootkit. Though there is a reference of anti-rootkit tool Libra [18] and Malnic [19], we were unable to find these tools in open source. Next we tried to execute and compile the OSATs for which details are given in the table 1.The details of five opensource anti-rootkit tools used for the evaluation are shown below: A. Arkitlib Arkitlib is an open-source rootkit detection library for windows OS which attempts to detect hidden processes and hidden drivers. For complete list of rootkit detection capabilities of arkitlib refer to [20]. TABLE I. OSAT Arkitlib Phunter v1.1 Codeword v1.0 Oark v1.0 Ksbinsword

DETAILS OF OPEN SOURCE ANTI-ROOTKIT TOOLS Year Aug 2010 4/1/2006 2009 Dec 2010 Not Known

Successfully Compiled Yes No Yes Yes No

Running Yes Yes Partially Yes Yes

Operating System 2003/XP/Vista 2000/XP XP 2000/XP 2000/XP/2003

B. Oark This anti-rootkit aims to help ordinary computer users gain an understanding of rootkit information, detection and identification. It tries to detect rootkits by PEB (Process Execution Block), SSDT and SYSENTER hook detection [21]. C. Codeword Codeword is an anti-rootkit tool developed by Aaron LeMasters and Michael Davis [22]. It provides critical system information to an analyst in a meaningful way. It attempts to detect SSDT and IRP hooks. It also scans PspCidTable to detect hidden process.

Woei-Jiunn and Yuh-Chen discuss five tricks based on DKOM to hide from anti-rootkits [14]. Yongqiang Zhan and Hai Bi detect SSDT hook and inline function patch for detecting rootkit existence [15]. SANS organization under its SCORE program has published a checklist on Rootkits Investigation Procedures [16] indicating various techniques such as SSDT hooks, IRP hooks, MBR, DKOM and others being used to gain control of operating system. Bravo and Garcia [17] also list out IAT, IDT, SSDT, IRP handler and inline hooks among elements to scan for rootkits.

D. Phunter Phunter is a hidden process detector by Ms-Rem for Windows 2000 and XP. It attempts to detect hidden processes by obtaining process information in fourteen different ways [23].

Form the above discussion we conclude that there is considerable impact on different operating system (OS) parameters as part of system modification done by rootkits. Based on these observations we decide on thirteen different parameters to scan for and detect rootkits. These are: 1) Process/Thread, 2) Module/Driver, 3) Libraries (DLL’s), 4) Services, 5) File, 6) Master boot record (MBR), 7) Alternate Data Stream (ADS), 8) Registry, 9) System Service Descriptor Table (SSDT) hooks, 10) Interrupt Descriptor Table (IDT) hooks, 11) Interrupt Request Packet (IRP) hooks, 12) Import Address Table (IAT) hooks, 13) SYSENTER hooks. The evaluation of OSATs in this paper is done against these OS parameters.

We explored features of OSATs and tried to compile each one of them in our lab. For experimentation we used newly compiled binaries for successfully compiled OSATs and already available binaries for others. The detailed description of OSATs viz. their version, whether successfully compiled in our test environment and running are depicted in table 2.

E. Ksbinsword Ksbinsword has multiple capabilities viz. system monitoring, SSDT detection, LSP (Layered Service Provider) detection and list system modules.

We successfully compiled arkitlib and oark from their source, but in case of codeword we did some changes in the code to compile and executed it partially. Codeword supports a total of 7 IOCTL’s for scanning various OS areas for rootkit detection but we were able to successfully execute only four of them. These are IOCTL_SSDT_DETECT_HOOKS,

IOCTL_SSDT_DETECT_DETOURS, IOCTL_GET_PROCESS_LISTING_ZWQ, IOCTL_GET_PROCESS_LISTING_PSP.

and

We were unable to compile Phunter v1.1 and Ksbinsword in our lab. To finalize the FATs tools we evaluated RootRepeal v1.3.5 [25], Kernel Detective v1.4.1 [26], SysProt TABLE II.

DEMO ROOTKIT DETAILS

Rootkit

File Name

MD5

Futo3.0

fu.exe msdirectx.sys

981db22a76aa871c93859a115236e0eb d5b8f1e1de1d39d1c7183ca2f1e60f37

Unreal v1.0.1.0

Unreal.EXE

a40f6c5a1c62a67f508ef0a59fad0d0d

comint32.sys

f67286b7a6a2542753181e0860effe34

ghost

phide_ex rkdemo1.2

v1.0.1.0 [27], RootkitBuster v5.00.1050 [28], Rootkit Revealer v1.71 [29], Rootkit Unhooker v3.7.300.509 [30], RKDetector v2.0 [31] etc. Based on the number of features available to analyze the system, and how frequently these tools are updated we did experimentation with GMER v2.1.19163 [32] and USEC Radix v1.0.0.13 [33].

Controller.exe

3efbe86a73cd00580b0b61b00ad5423f

phide_ex._exe phide_ex.sys.exe RKSTART.EXE RKdemo12.sys

ab1c631cec265363bf3943131e6f148d 635fd00ab028cca9069cf2a02cb5c46f 321791099064e24aa66a5ef4e37e2efd ec298a4e21ac1fe045aa8aa43b7555fa

Author’s Name Peter Silberman MP_ART & EP_X0FF

Source Available

Year

Compiled

Running

Hiding Methods Process/Thread, Module/Driver



2005







2007





Module/Driver, Service, ADS

Ric Vieler



2006





SSDT hooks, Module/Driver, Process/Thread, ADS

PE386



2006





Process/Thread

MP_ART



2006





Process/Thread

Sherri sparks and Jamie Butler



2005



BSOD

Virtual memory hooking

msdirectx.sys

1d26d842763d6b8ffc0a06aa1f83e7ce

mmHook.sys

813a34e0cc61fccffaef8de0a65fdea2

AFXRootkit2005

root.exe

092cc5ed71dfee729a993f17abcb8afa

Aphex



2005





Process/Thread, Service, Registry, File

Vanquish0.1.2

vanquish.exe bind.exe vanquish.dll

83e445b5f527c98ca8850c33816951a2 8489ba346072e65c4626ebe2b5e01d8e 0ca2339b2859c8e1b9c29aa34ee3b7f7

XShadow



2005





Service, Registry, File

shadow walker v1.0

TABLE III.

FEATURE COMPARISON OF OSATS AND FATS Anti-rootkits FATs

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13.

Scanning parameter

GMER

Process/Thread Module/Driver Libraries (DLL) Services File MBR Alternate Data Stream Registry SSDT hooks IDT hooks IRP hooks IAT hooks SYSENTER hooks

            

V.

Open source tools USEC Radix             

EXPERIMENTAL SETUP

All experiments and testing was done on Microsoft Windows XP SP2 32-bit OS without any additional software installations. The test system was installed on a Windows Virtual PC with 1 GB of RAM and 20 GB of hard disk space simulating IA-32 architecture. We disabled the networking of this virtual system during experiments. The FATs and OSATs binaries were executed with administrator privileges for testing purposes. The rootkits for testing were selected, keeping in mind the impact of virtualization on malware detection. We followed the practices listed in prudent practices for these experiments [34].

arkitlib

phunter

oark

codeword

ksbinsword

  







  













OSATs evaluated are: arkitlib, oark, phunter, ksbinsword and codeword. This selection is based on all the results of comprehensive searches on internet we made over a period of time to find OSATs. Rootkit samples for the evaluation include demo rootkits (i.e. for which source code is available) obtained from kernelmode.info and selectively picked 12 live rootkit samples from vxheaven.org which includes database of 3180 windows rootkits as on date of writing. Althoug 12 samples seems to be less in number but it solves the purpose as selected samples belong to different rootkit families. We also considered the detection ratio of each sample from virustotal [36] so to ensure that samples are detected by wellknown and anti-viruses.

Finaly the succesfully executed rootkit samples were considered for testing. Demo rootkits used are: futo_enhanced, unreal, ghost, AFXRootkit2005, RKdemo1.2, vanquish and phide_ex. Table 1 lists the details of demo rootkits (like author, compile status etc.). We were unable to run shadow walker on a Windows XP SP2 test machine with PAE off as it caused BSOD (Blue Screen of Death) [24]. Observing this we eliminated it for testing purposes and finally did testing considering the other seven demo rootkits. Table 5 lists various live rootkits used in experiments.

parameters and the rest scans only for 1, 2 or 3 parameters.Process and SSDT hooks are scanned by all the OSATs to look for rootkit infection. Other parameters such as module, driver and SYSENTER hooks are scanned by at most 2 OSATs. In comparison, FATs scans for all the thirteen parameters to detect rootkits. Table 4 and 5 shows results of experiments with demo and live rootkits respectively. Demo rootkits target registry, module, process, service SSDT hook, file and ADS to hide the infection (see table 2). Hence we evaluated OSATs considering these five parameters. Vanquish and unreal rootkits went undetected by all OSATs. OS parameters such as registry, service, file and ADS went totally undetected even if OSAT claims to scan these parameters for infection.

For comparative analysis we used FATs such as GMER and USEC Radix. FATs identification is done based on the number of features available to analyze the system to find rootkits and how frequently they are being updated. VI.

Moreover rootkits such as AFXRootkit2005 and ghost were partially detected by arkitlib and codeword OSATs. Phunter which scans only for hidden process caused BSOD with phide_ex when scanned with syscall hooking option enabled. Interestingly, phunter scans only for hidden processes; but detected more demo rootkits that any other OSAT. FATs were able to detect almost all the features of all rootkits except ADS; for which GMER and Radix was unable to detect ADS for ghost and unreal respectively.

DETECTION COMPARISON

This section discusses the comparison of features and rootkit detection capabilities of OSATs and FATs. Table 3 presents the detailed feature comparison with thirteen OS parameters. It is evident from the table 3, that no OSAT scans for all the OS parameters decided for the comparison. Among OSATs, arkitlib scans for 5 parameters which are process/thread, module/driver, libraries, SSDT and SYSENTER hook. Similarly, ksbinsword scans for 4 TABLE IV.

DETECTION RESULTS WITH DEMO ROOTKITS

Anti-Rootkit

OSATs

FATs

Arkitlib Oark Phunter Codewordd ksbinsword GMER Radix

Rootkits Futo3.0

Unreal v1.0.1.0

Ghost

phide_ex

rkdemo1.2

AFX Rootkit

Vanquish 0.1.2

22-02-2012f

22-02-2012 f

05-03-2012 f

      

      

b   b   

22-02-2012 f

05-03-2013 f

22-02-2012 f

22-02-2012 f

  BSOD    

      

  c  e  

      

a. b.

Only 5 SSDT hooks got detected.

Partial detection as system gets hanged after few seconds because of access violation. c.

Results shown are with partial execution as discussed in section 3. d.

Not all AFXRootkit capabilities are detected. e.

Date samples obtained

Date samples analyzed: 30-05-2013

TABLE V.

DETECTION RESULTS WITH LIVE ROOTKITS

Rootkit

MD5

Backdoor.Win32.ZAccess.aqep Backdoor:Win32/Phdet.gen!B Trojan-Dropper.Win32.Agent.dvvm Trojan.Win32.TDSS.bwkw Backdoor.Win32.Sinowal.fac Trojan-Downloader.Win32.Small.csr Rootkit.Win32.Agent.ey Trojan-PSW.Win32.Sinowal.gj

a2611095f689fadffd3068e0d4e3e7ed 317dea854c1d4b8e61e7c375421b6708 58c696bd77a07845558692c83018bc2f f039715e00a4279cfe9c6c224a70c09e 62a1938c69ca4f4b93a0ac4dede07afd d380a8c045f0fdbe0d5a4657572f6e57 ef0364c26faf02129624ba5ee9c4bd25 0d89f255da7f58f0380e7900b2d93c3c

Trojan-Proxy.Win32.Saturn.f

8ccbcce8a778dc04dfee67008ee6a905

Trojan.Win32.Srizbi.be Rootkit.Win32.Agent.bdkq Rootkit.Win32.KernelBot.ag

75aad8061507fd09c44a3fa199f4264d acfe49f6431a608e520d8935c749f399 265b983ae825aa173200b9f36b31059b

FATs GMER Radix                 app  crash      

OSATs phunter ksbinsword                

Arkitlib        

Oark        

codeword        











  

  

  

  

  

Date samples obtained: 23-07-2013 Date samples analyzed: 24-07-2013

With live rootkits arkitlib OSAT showed best results by detecting 4 rootkits. Whereas oark, ksbinsword and codeword detected only one rootkit and phunter was unable to detect any rootkit. Another observation made was that OSATs were mostly able to detect SSDT hooks. Oark, ksbinsword and codeword detected only the SSDT hook in live rootkits. Among FATs, GMER showed the best results with 100% detection whereas Radix detection rate stood at 58.33%. VII. CONCLUSIONS In this work we made comparison of open source antirootkits and free anti-rootkits considering thirteen different OS parameters. Form the evaluation we found that open source anti-rootkits have poor detection capabilities. Another observation is that open source anti-rootkits have not implemented any code to scan services, files, ADS, MBR, registry, IDT, IRP and IAT hooks to detect rootkits. Even though OSATs are scanning process/threads, modules/drivers, libraries, SSDT and SYSENTER hooks they are not able to detect them. This evaluation concludes a lot of work is needed from open source community in the direction of development of open source anti-rootkits. If complex software like OS, programming language compilers can be developed by open source community, what are the hindrances in developing tools to counter the most sophisticated form of malware i.e. rootkits. In the end our suggestion to people taking up implementation of OSATs is to look forward to implement the scanning of missing parameters given above along with improving the existing scanning techniques.

[9]

[10] [11] [12] [13]

[14]

[15]

[16] [17]

[18]

[19]

ACKNOWLEDGMENT This research is supported by DeitY Govt. of India. Any views, opinions and findings made in this paper are only of the authors and do not reflect the views of DeitY.

[20]

REFERENCES

[22]

[1] [2] [3] [4]

[5]

[6]

[7]

[8]

Bill Blunden, The rootkit arsenal, by Jones & Bartlett Publishers, edition 1, May 4, 2009, pp 138-139. An In-Depth Look into the Win32 Portable Executable File Format, Internet: http://msdn.microsoft.com/en-us/magazine/cc301805.aspx Greg Hoglund and Jamie Butler. 2005. Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional. RAIDE: Rootkit Analysis Identification Elimination By: Jamie Butler & Peter Silberman. http://www.blackhat.com/presentations/bh-europe06/bh-eu-06-Silberman-Butler.pdf Intel® 64 and IA-32 Architectures, Software Developer’s Manual, Volume 3A: System Programming Guide, Part 1 p6-12. http://www.intel.com/Assets/ja_JP/PDF/manual/253668.pdf Yong Wang; Dawu Gu; Wei Li; Jing Li; Mi Wen, "Virus Analysis on IDT Hooks of Rootkits Trojan," Information Engineering and Electronic Commerce, 2009. IEEC '09. International Symposium on, vol., no., pp.224, 228, 16-17 May 2009 doi: 10.1109/IEEC.2009.52 doi: 10.1109/IEEC.2009.52 Mark Russinovich and David A. Solomon. 2009. Windows Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition (5th ed.). Microsoft Press. Larry Stevenson, Nancy Altholz, Dave Kleiman, Mahesh Satyanarayana, Abdul-Rahman Elshafei, Allen C. Weil, Bill Bright, and Lawrence Abrams. 2007. Rootkits for Dummies (For Dummies (Computer/Tech)). For Dummies.

[21]

[23]

[24] [25] [26] [27] [28]

[29]

[30] [31] [32] [33]

Hung-Min Sun; Hsun Wang; King-Hang Wang; Chien-Ming Chen, "A Native APIs Protection Mechanism in the Kernel Mode against Malicious Code," Computers, IEEE Transactions on , vol.60, no.6, pp.813,823, June 2011 doi: 10.1109/TC.2011.46 Bypassing PatchGuard on Windows, VOL 3, Jan 2006, http://uninformed.org/index.cgi?v=3&a=3&p=9 Crazylord, Playing with windows /dev/(k)mem, Volume 11, Issue 59, http://www.phrack.org/issues.html?issue=59&id=16 I/O Request Packets, http://msdn.microsoft.com/enus/library/windows/hardware/hh439638%28v=vs.85%29.aspx. James Butler and Sherri Sparks, PENTIUM, ALL OF A. SUDDEN YOUR. "spyware and rootkits.", http://static.usenix.org/publications/login/2004-12/pdfs/spyware.pdf Tsaur, W.; Yuh-Chen Chen, "Exploring Rootkit Detectors' Vulnerabilities Using a New Windows Hidden Driver Based Rootkit," Social Computing (SocialCom), 2010 IEEE Second International Conference on , vol., no., pp.842,848, 20-22 Aug. 2010 doi: 10.1109/SocialCom.2010.127 Yongqiang Zhang; Hai Bi, "Anti-rootkit Technology of Kernel Integrity Detection and Restoration," Network Computing and Information Security (NCIS), 2011 International Conference on , vol.1, no., pp.276,278, 14-15 May 2011 doi: 10.1109/NCIS.2011.62 Rootkits Investigation Procedures , www.sans.org/score/checklists/rootkits_investigation_procedures.doc Bravo, P., & Garcia, D. F. (2011, August). Proactive detection of kernelmode rootkits. In Availability, Reliability and Security (ARES), 2011 Sixth International Conference on (pp. 515-520). IEEE. Wen, Yan, Jinjing Zhao, and Huaimin Wang. "Implicit detection of hidden processes with a local-booted virtual machine." Information Security and Assurance, 2008. ISA 2008. International Conference on. IEEE, 2008. Qiao-Ling Han; Yu-Jie Hao; Yan Zhang; Zhi-Peng Lu; Rui Zhang, "A New Malware Detection Method based on Raw Information," Apperceiving Computing and Intelligence Analysis, 2008. ICACIA 2008. International Conference on , vol., no., pp.307,310, 13-15 Dec. 2008 doi: 10.1109/ICACIA.2008.4770030 Swatkat, Open-source rootkit detection library for Microsoft Windows, Internet: code.google.com/p/arkitlib/, Dec. 29, 2011 [May. 14, 2013]. [email protected], The Open Source Anti Rootkit, Internet: code.google.com/p/oark/, Feb. 16,2011 [Feb. 17, 2013]. Aaron LeMasters and Michael Davis, Free enterprise malware and rootkit detection for the network defender, Internet: www.codeword.org/links.html, Jan. 6, 2010 [Feb. 20, 2013]. Ms-Rem, Process Hunter Internet: https://sites.google.com/site/delphibasics/home/delphibasicsprojects/pro cesshunterbyms-rem, Nov. 20, 2010 [Jan. 10, 2013]. Brien M. Posey, Demystifying the 'Blue Screen of Death, Internet: technet.microsoft.com/en-us/library/cc750081.aspx, [May. 14, 2013] RootRepeal Rootkit Detector , Internet : sites.google.com/site/rootrepeal/, [May. 14, 2013] GamingMasteR, Kernel Detective v1.4.1 , Internet: www.at4re.com/download.php?view.2, Dec. 13, 2010 [Mar. 20, 2013] Swatkat, SysProt AntiRootkit, Internet: sites.google.com/site/sysprotantirootkit/, [May. 14, 2013]. Trend Micro Inc., Rootkit Buster, Internet: http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=355& regs=NABU&lang_loc=1, Mar. 05, 2013 [May. 14, 2013]. Bryce Cogswell and Mark Russinovich, RootkitRevealer, Internet: technet.microsoft.com/en-us/sysinternals/bb897445.aspx, Nov. 1, 2006 [April. 01, 2013]. Rootkit Unhooker, Internet: www.antirootkit.com/software/RootKitUnhooker.htm, [May. 14, 2013]. Security Analyzer & Rootkit Removal, Internet: www.rkdetector.com/, [May. 14, 2013]. GMER, Internet: www.gmer.net/, April. 4, 2013 [May. 14, 2013] USEC Radix, Internet: www.usec.at/rootkit.htm, [May. 14, 2013].

[34] Rossow, C.; Dietrich, C.J.; Grier, C.; Kreibich, C.; Paxson, V.; Pohlmann, N.; Bos, H.; van Steen, M., "Prudent Practices for Designing Malware Experiments: Status Quo and Outlook," Security and Privacy (SP), 2012 IEEE Symposium on , vol., no., pp.65,79, 20-23 May 2012 doi: 10.1109/SP.2012.14

[35] NtInternals, Internet: http://www.ntinternals.org/anti_rootkits.php, [Oct. 10, 2013] [36] VirusTotal, Internet: http://www.virustotal.com, [Oct. 10, 2013]