Abstract
M.Sc.
Anyone who uses a computer for work or recreational purposes has come across one or all of the
following problems directly or indirectly (knowingly or not): viruses, worms, trojans, rootkits and
botnets. This is especially the case if the computer is connected to the Internet. Looking at the
statistics in [1] we can see that although malware detection techniques are detecting and preventing
malware, they do not guarantee a 100% detection and or prevention of malware. Furthermore the
statistics in [2] show that malware infection rates are increasing around the world at an alarming
rate. The statistics also show that there are a high number of new malware samples being
discovered every month and that 31% of malware attacks resulted in data loss [3], with 10% of
companies reporting the loss of sensitive business data [4][5].
The reason for not being able to achieve a 100% detection and / or prevention of malware is
because malware authors make use of sophisticated techniques such as code obfuscation in order to
prevent malware from being detected. This has resulted in the emergence of malware known as
polymorphic and metamorphic malware. The aforementioned malware poses serious challenges for
anti-malware software specifically signature based techniques. However a more serious threat that
needs to be addressed is that of rootkits. Rootkits can execute at the same privilege level as the
Operating System (OS) itself. At this level the rootkit can manipulate the OS such that it can
distribute other malware, hide existing malware, steal information, hide itself, disable anti-malware
software etc all without the knowledge of the user.
It is clear from the statistics that anti-malware products are not working because infection rates
continue to rise and companies and end users continue to fall victims of these attacks. Therefore
this dissertation will address the problem that current anti-malware techniques are not working.
The main objective of this dissertation is to create a framework called ATE (Anti-malware
Technique Evaluator) that can be used to critically evaluate current commercial anti-malware
products. The framework will achieve this by identifying the current vulnerabilities that exist in
commercial anti-malware products and the operating system. The prior will be achieved by making
use of two rootkits, the Evader rootkit and the Sabotager rootkit, which were specifically developed
to support the anti-malware product evaluation. Finally an anti-malware architecture we called
External Malware Scanner (EMS), will be proposed to address the identified vulnerabilities.