Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
Security quotes of the week
Posted Jun 5, 2012 19:55 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)
It's not a simple task. And exploiting the kernel is only the first part of it. Next you need to somehow isolate antivirus-installed hooks without tripping them and leave the system working.
Most malware actually doesn't try to do this. Instead it tries to stay quiet and do not trip any antivirus detection heuristics.
Posted Jun 5, 2012 20:30 UTC (Tue) by hummassa (subscriber, #307)
Posted Jun 5, 2012 22:32 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)
It also sets a lot of hooks and tries to monitor self-integrity, so even if you try to kill it by patching kernel process table or in any other obvious way - you'll simply trigger these hooks and either initiate a self-healing attempt or create a BSOD. It's possible to work around them, of course, but decidedly non-trivial. Even Flame malware doesn't try to do it - it simply stays under the radar.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds