Kernel-level malware on the rise

Kernel-level malware would operate with the same privileges as the operating system

Online criminals are increasingly turning to kernel-level malware to attack systems, according to security researchers at F-Secure. 

Kernel-level malware acts inside the operating system's kernel, the component that links the system to the computer's hardware. Traditional malware acts like a regular application that runs on top of the operating system.

Kimmo Kasslin, a security researcher at F-Secure, said in a study that this type of malware is "a scary thought".

"It would operate with the same privileges and share all the same resources as the operating system itself, and compete with any security solutions protecting the system's integrity against any malicious activities," he wrote.

The researcher warned that the trend could lead to an "arms race" between security software and the malware, as the latter tries to evade detection.

The race would ultimately favour the code that runs closest to the most basic functions of the operating system.

"This is a path that any serious security software vendor will not take. But the world is full of examples of malware and proof-of-concept code that does exactly this," explained Kasslin.

He noted that malware authors have dramatically increased the use of kernel-level code since 2005, and that 2.63 new kernel malware families were found by security researchers every month last year.

The current kernel code is primarily used with root-kits, which allow conventional malware programs to run undetected. However, Kasslin believes that kernel-level code is poised to take on a more prominent role in malware attacks very soon.

"More information is published about how to do things required by today's malware directly from kernel mode," he said. "This includes how to implement better root-kits, how to bypass personal firewalls and how to create backdoors and IRC bots."

The use of kernel-level code came to the fore last Autumn when Microsoft said that it would include a security component known as PatchGuard to effectively block the operating system kernel.

But security vendors claimed that malware writers would quickly break the protection, effectively offering unfettered access to a machine's entire resources. Security software would then be unable to do anything to stop the attack. 

• Security vendor circumvents Windows Vista's PatchGuard
• Windows Vista 'wide open' to malware