Reputation: 53551
How does a Virus bypass detection by installing in the Interrupt Handler?
Can someone in simple term explain how tunneling works? How can a virus install itself in the interrupt handler chain in order to avoid scanners?
Upvotes: 1
Views: 245
Answers (1)
Reputation: 67039
You are referring to a Kernel mode Rootkit. When an interrupt is triggered, and execution continues at the interrupt handler defined for that interrupt. On Linux, interrupt 80 is used. A rootkit could replace the kernels interrupt handler by an own function.
This method NO LONGER WORKS. Its been a few years sense a LKM rootkit for Linux has been released. They take many months to develop and can patched in days. The only rootkits that work these days for Windows or Linux are bootkit's like the Stoned Bootkit. Userland rookits also work, however they are trivial to detect. Tripwrie, rootkithunter, ect...
Upvotes: 2
Related Questions
- how does the operating system treat few interrupts and keep processes going?
- Which feature(s) are causing my C# application to be detected as a virus?
- How does an Antivirus knows not to detect non malicious code?
- How do the Antivirus programs detect the EICAR Test Virus?
- Anti-Virus Detection on a legitimate program
- What does prevent viruses to insert malicious code into executables?
- How is heuristic-based virus detection possible?
- How does a Windows antivirus hook into the file access process?
- operating system interrupts
- Why does my antivirus program not detect this malicious behavior?