Thesis (M.S., Computer Science)--University of Idaho, June 2015 | Increased inter-connectivity between cyber and cyber-physical systems increases the danger of Advanced Persistent Threat (APT) cyber attacks, against which perimeter-focused defenses are no longer sufficient. Rootkits are debatably the most important piece of malicious software to the success of an APT. Rootkits are are often planted through social engineering, which intend to bypass perimeter-focused defenses. APTs, the most dangerous of cyber attacks, is facilitated by one of the least-detected attack methods. In order to further the practice of detecting rootkits and aid with early detection, this thesis presents a taxonomy of rootkit activities through each stage of installation and exploitation. Correspondingly, this thesis presents a taxonomy of rootkit detection methods to address rootkit infection vectors. These taxonomies are then applied to a real-world rootkit example to demonstrate how combined application of rootkit detection tools and techniques can provide full-coverage of the possible rootkit-targeted attack surface.
