In attempt to bring our readers/listeners more technical content, the SecuraBit team has brought on a guest blogger to cover some of the current issues facing malware analysts/reverse engineers.  Nick Jogie’s first post delves into rootkit analysis and explains in great detail how to detect such when AV and perimeter security devices just aren’t enough.  Provide feedback to the SecuraBit team and let us know your thoughts!

“System Service Descriptor Table (SSDT) patching has been widely used by rootkits and is usually easily detected.  BlackEnergy version 2 has implemented a technique which successfully hides from basic rootkit detection.  Basic rootkit detectors typically only check address ranges, on function pointers, listed in the SSDT.  If the pointers are outside the kernel address range, it implies that the SSDT is hooked.

The following will illustrate a procedural check, used to uncover this technique, using a kernel debugger…”

Read more here:

Rootkit Analysis – Hiding SSDT Hooks

Written by: Nick Jogie