Finding Rootkits By Monitoring For ‘Black Sheep’

Blacksheep compares memory dumps from each monitored system, first creating lists of kernel memory modules that are then sorted and compared, calculating the distance that each list of modules is from the others. The system then compares each byte of a modules’ code with other systems to find differences that could indicate changes inserted by a rootkit. Blacksheep also conduct memory crawling to catch changes to kernel data and checks five different kernel entry points for signs of changes.

via Finding Rootkits By Monitoring For ‘Black Sheep’ – Dark Reading.