

Store
Devices Microsoft Surface PCs & tablets Xbox Virtual reality Accessories Windows
phone Microsoft Band Software Office Windows Additional software Apps All apps
Windows apps Windows phone apps Games Xbox One games Xbox 360 games PC
games Windows games Windows phone games Entertainment All Entertainment
Movies & TV Music Business & Education Business Store Education Store Developer
Sale Back-to-school essentials Sale Products
Software & services Windows Office Free downloads & security Internet Explorer
Microsoft Edge Skype OneNote OneDrive Microsoft Health MSN Bing Microsoft
Groove Microsoft Movies & TV Devices & Xbox All Microsoft devices Microsoft
Surface All Windows PCs & tablets PC accessories Xbox & games Microsoft Band
Microsoft Lumia All Windows phones Microsoft HoloLens For business Cloud
Platform Microsoft Azure Microsoft Dynamics Windows for business Office for
business Skype for business Surface for business Enterprise solutions Small business
solutions Find a solutions provider Volume Licensing For developers & IT pros
Develop Windows apps Microsoft Azure MSDN TechNet Visual Studio For students
& educators Office for students OneNote in classroom Shop PCs & tablets perfect
for students Microsoft in Education Support
Sign in


Research Research
o Research Home
o Research areas
 Algorithms
 Artificial intelligence and machine learning
 Computer systems and networking
 Computer vision
 Data visualization, analytics, and platform
 Ecology and environment
 Economics
 Graphics and multimedia
 Hardware, devices, and quantum computing
 Human-centered computing
 Mathematics







o
o
o
o
o



Medical, health, and genomics
Natural language processing and speech
Programming languages and software engineering
Search and information retrieval
Security, privacy, and cryptography
Social Sciences
Technology for emerging markets
Products & Downloads
Programs & Events
 Academic Programs
 Events & Conferences
People
Careers
About
 About
 Microsoft Research blog
 Asia Lab
 Cambridge Lab
 India Lab
 New England Lab
 New York City Lab
 Redmond Lab
 Applied Sciences Lab
Research areas
o Algorithms
o Artificial intelligence and machine learning
o Computer systems and networking
o Computer vision
o Data visualization, analytics, and platform
o Ecology and environment
o Economics
o Graphics and multimedia
o Hardware, devices, and quantum computing
o Human-centered computing
o Mathematics
o Medical, health, and genomics
o Natural language processing and speech
o Programming languages and software engineering
o Search and information retrieval
o Security, privacy, and cryptography
o Social Sciences
o Technology for emerging markets
Products & Downloads
Programs & Events
o Academic Programs
o



Events & Conferences
People
Careers
About
o About
o Microsoft Research blog
o Asia Lab
o Cambridge Lab
o India Lab
o New England Lab
o New York City Lab
o Redmond Lab
o Applied Sciences Lab
Strider GhostBuster: Why It’s A Bad
Idea For Stealth Software To Hide Files
July 1, 2004

Download Document

BibTex
Authors

Yi-Min Wang

Binh Vo

Roussi Roussev

Chad Verbowski

Aaron Johnson
Publication Type
TechReport
Pages
15
Number
MSR-TR-2004-71

Abstract

Related Info
Abstract
File hiding is an advanced stealth technique that is becoming popular among system monitoring
software such as RootKits, Trojans, and keyloggers. It presents a major challenge to system
administrators and the anti-malware industry because detection and removal are virtually
impossible if the target files are not even visible. In this paper, we present the Strider
GhostBuster that exploits the fundamental weakness of the file-hiding behavior and turns the
problem into its own solution. We have tested this diff-based tool successfully in the lab against
several real-world system monitoring programs. The simplicity and effectiveness of the approach
suggest that the following quote on the Internet may no longer be true: “When you can get the
dir command to lie, it’s all over.― In the post-GhostBuster world: “The best way to
hide is not trying to hide.― [February 23, 2005: note that Strider GhostBuster uses a “crossview diff― technique, which is very different from the usual “cross-time diff against known
good― approach. Please see the new technical report titled “Detecting Stealth Software
with Strider GhostBuster― posted at http://research.microsoft.com/rootkit for a detailed
discussion.]
Related Info
Research Labs
 Microsoft Research Lab - Redmond
Follow Microsoft Research


Follow @MSFTResearch

Share this page


Tweet

Learn

Windows

Office

Skype

Outlook

OneDrive

MSN
Devices

Microsoft Surface

Xbox

PC and laptops

Microsoft Lumia

Microsoft Band

Microsoft HoloLens
Microsoft Store

View account

Order tracking

Retail store locations

Returns

Sales & support
Downloads

Download Center

Windows downloads

Windows 10 Apps

Office Apps

Microsoft Lumia Apps

Internet Explorer
Values

Diversity and inclusion

Accessibility

Environment

Microsoft Philanthropies

Corporate Social Responsibility

Privacy at Microsoft
Company

Careers

About Microsoft

Company news

Investors

Research

Site map

English (United States)

Contact us

Privacy & cookies

Terms of use

Trademarks

About our ads

© 2016 Microsoft
​