Rootkits are the most challenging malware threats against server and desktop systems. They are created by highly skilled actors and are deployed in advanced persistent threat attacks. Lately and even in the future, rootkits will become a real threat to billions of IoT devices. Existing malware detection techniques based on static or dynamic analysis face major shortcomings, which become more apparent when it is necessary to detect threats on IoT devices. In this paper, we propose the ULTRA framework, which can detect rootkits effectively and efficiently by operating outside of the “box” (literary device) with no resource requirement on the target device. ULTRA baits the rootkit to provoke activity, measures electromagnetic emanation with a software-defined radio, preprocesses signals, then detects and classifies rootkit behavior using machine/deep learning techniques. As use cases, we target two IoT devices with MIPS and ARM architectures. The proposed approach achieved promising results with high accuracy for detecting both known and unknown rootkits during the offline learning phase. Our experimental study involves classification of rootkit families and distinct variants, obfuscated rootkits, probe dislocation, benign noise (kernel) activities, and comparison with software-based solutions.
Code can be found here