[R136a1]

This paper takes an in-depth look into the attack strategies of recent rootkits and analyses what has worked for them. In doing so it highlights some of the profi table attack methodologies from the perspective of kernel rootkits. The discussion in this paper about prediction of the future of stealth attacks is derived from our analysis of multiple rootkits over many years and also based on current trends and some specific techniques. The main aim of this discussion is to help reanalyse rootkit defences and decide what technological improvements (if any) are needed in current and future products to better combat the ever changing stealth threat landscape.

GDT manipulation to hook IDT on 32-bit OS
During our discussions with security researcher Xeno Kovah at MITRE Corporation, he mentioned a technique that he is planning to publish soon and is simple enough for rootkits to adopt. It therefore prompted us to discuss it here (with Xeno’s approval) since we think it may be used in the wild in future.
....

http://www.mcafee.com/us/resources/repo ... ttacks.pdf

[xsk]

Huh. I had forgot that they asked me about publishing this. I was only allowed to put it in a paper for public release if I first informed vendors who did not detect the variant way of performing the hooking. The original paper which it was included in didn't get accepted to the conference, but now the technique is described in the rootkits class training material (opensecuritytraining.info/Rootkits.html). It is best understood by first covering the segmentation and interrupts portion of the Intermediate x86 class material (http://opensecuritytraining.info/IntermediateX86.html).

Xeno