CoPDA: Concealed Process and Service Discovery Algorithm to Reveal Rootkit Footprints

The current online world is constantly affected by malicious software such as viruses, Trojans, worms, spyware and botnets. When such a malicious software integrates with the rootkit technique, it becomes a serious threat to end users. Rootkits themselves do not cause damage to a computer. Instead, they mask their footprints either from antivirus software or anti-rootkit tools to allow a remote attacker to conduct computer crimes for a long time. This property makes malicious code attacks difficult to detect. Traditional techniques that aim to reveal rootkit footprints suffer from false alarm rate and also fail to detect unknown stealthy malicious code attacks. The proposed Concealed Process and Service Discovery Algorithm (CoPDA) introduces a novel cross-view comparison technique that can effectively detect the concealed processes and services of a malicious software in Windows operating system. Compare to existing anti-rootkit detection tools, the experimental results show that CoPDA can be effectively used to discover hidden process and service and deserved 99.02% detection accuracy, 100% true positive rate and 1.82% false positive rate. Additionally, CoPDA is portable across various operating systems with only negligible tweaking.