Taking Malware Detection To The Next Level (Down)

Several highly sophisticated rootkits have garnered media attention over the past few weeks, highlighting the vulnerability of current anti-malware techniques to layer-below attacks. These new rootkits are not the only area of weakness in traditional anti-malware techniques. For example, "morphing" viruses evade string scanning by altering their code structure between generations. Emulation techniques can sometimes detect these morphing viruses, but its effectiveness is limited by its high computational cost, imprecision, and the development of anti-emulation techniques.

Our solution to layer-below attacks and morphing viruses is low-level, behavior-based threat detection. As malicious software has grown more complex, disk drive processors have grown more powerful. We propose using this new, under-utilized processing power to augment traditional anti-virus and rootkit detection techniques with direct computation on the disk processor. Disk processors are privy to the low-level behavior of malware that alters data on its host, allowing us to identify threats based on patterns of I/O requests. The location and isolation of the disk make it well-suited for malware detection, since it can see all I/O requests and is immune to subversion by a rootkit. Additionally, signatures made from low-level behavioral patterns cannot be confused by equivalent code substitution (i.e., morphing viruses). As an added benefit, disk-level monitoring comes at a low cost: it requires little extra effort from the CPU because it observes the behavior of normally running programs.