Chasing Ghosts?                                                                             
- Return of the Stealth Malware

In the late DOS virus era stealth features in viruses
were common. As most of the users - and with them virus
writers - moved to Windows platforms stealth malware                                        
did not gain much room initially. This is about to change.                                  
                                                                                            
Current malware is increasingly equipped with stealth                                       
features. Virus creators want their creations to go                                         
unnoticed, hackers want to operate on the compromised                                       
hosts without getting attention.                                                            
                                                                                            
An active stealth malware might be able to conceal its                                      
presence by hiding processes, registry keys and open                                        
network ports. In order to hide their presence some of                                      
the recent viruses and trojans employ sophisticated                                         
stealth components. These often operate on the kernel                                       
level to get maximum level of control. This kind of                                         
infection is often non-trivial to detect in a                                               
compromised system.                                                                         
                                                                                            
The paper examines the stealth methods used by malware                                      
and possible techniques to detect their presence by                                         
manual inspection or an antivirus program.