Hard to catch, even harder to stop
23 Feb 2007
Online criminals are increasingly turning to kernel-level malware to attack systems, according to security researchers at F-Secure.
Kernel-level malware acts inside the operating system's kernel, the component that links the system to the computer's hardware. Traditional malware acts like a regular application that runs on top of the operating system.
Kimmo Kasslin, a security researcher at F-Secure, said in a study that this type of malware is "a scary thought".
"It would operate with the same privileges and share all the same resources as the operating system itself, and compete with any security solutions protecting the system's integrity against any malicious activities," he wrote.
The researcher warned that the trend could lead to an "arms race" between security software and the malware, as the latter tries to evade detection.
The race would ultimately favour the code that runs closest to the most basic functions of the operating system.
"This is a path that any serious security software vendor will not take. But the world is full of examples of malware and proof-of-concept code that does exactly this," explained Kasslin.
He noted that malware authors have dramatically increased the use of kernel-level code since 2005, and that 2.63 new kernel malware families were found by security researchers every month last year.
The current kernel code is primarily used with root-kits, which allow conventional malware programs to run undetected. However, Kasslin believes that kernel-level code is poised to take on a more prominent role in malware attacks very soon.
"More information is published about how to do things required by today's malware directly from kernel mode," he said. "This includes how to implement better root-kits, how to bypass personal firewalls and how to create backdoors and IRC bots."
The use of kernel-level code came to the fore last Autumn when Microsoft said that it would include a security component known as PatchGuard to effectively block the operating system kernel.
But security vendors claimed that malware writers would quickly break the protection, effectively offering unfettered access to a machine's entire resources. Security software would then be unable to do anything to stop the attack.
The latest home computing news
The best PC tools, applications and more
Independent opinions on new hardware and software
Easy-to-follow projects with pictures
Solve PC problems with our Q&A
PC projects demonstrated and product reviews
An in-depth look at how to get the best from your PC
What's coming up in Computeractive
Get help with your PC problems from our readers
Your chance to win computing prizes
Great deals on products, services and more
Computeractive
Back Issue CD-Rom 12 
All 26 issues of Computeractive from 2009 on one CD-Rom.
Ultimate
Guide to Free Computing
Find out how you can get free software, services and more!
Learn
to use Windows 7 
Everything you need to know about using Windows 7!
Computeractive
Back Issues
Missed an issue? Click here to find a back issue
Keeping an eye on the latest XP and Vista news
Exclusive first photos of Symantec's Smartphone Security for Android, taken at Symantec's headquarters. Story here .
> More from the Windows Watch blog
Your daily dose of download discussion
Probably our biggest giveaway for a while, we're offering you the full current AVG Anti-Virus 9 [1-PC, 1-Year], worth £26.99, completely FREE...
Computeractive is not reponsible for content of Google adverts
Reader comments