Kaspersky Lab has obtained a patent for a method of detecting malware that has been masked by rootkits – special programs capable of altering the outcomes of system functions. Patent no. 8677492 issued by the US Patent and Trademark Office describes the operation of a security solution with a special module that duplicates some functions of the operating system’s kernel, so the security solution has reliable information even if the OS is infected with a rootkit.
Cybercriminals use rootkits to prevent security solutions detecting malicious programs such as Trojans. To do this a rootkit masquerades as a legal driver, integrates with the OS kernel, intercepts system function calls from applications and modifies the results of their operation, deleting any references to files and processes related to the Trojan. This means the presence of malicious code can be masked – a dangerous program becomes invisible to the user and to other applications.