Slashdot Mirror
DARPA Funded Startup to 'Bird-Dog' Rootkits
Ski_Bird writes "DARPA is funding a startup the supposedly has a unique approach to detect rootkits. The startup, Komoku, is ready to 'emerge from stealth mode with hardware and software-based technologies to fight the rapid spread of malicious rootkits.' They have a PCI card that doesn't necessarily determine that a rootkit is installed, only that the O/S has changed dramatically enough to warrant investigation. Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible."
The story keeps coming up that Windows, or Linux could be hoisted up into a virtual machine and antivirus software can never detect it - but has anyone thought of the payload size needed to implement an entire virtual machine? It will be interesting to see what type of software comes out of this research since this is using hardware to detect changes at the bus level - that way the rootkit or virus cannot use its trickery to hide itself.
I'm more interested in what Sony has to say about this development.
I don't understand what's hard about detecting a rootkit.
Simply build a tripwire database of file signatures, and boot a CD (or USB RAM key) to check them.
Need to also check the MBR, but, that's pretty obvious, no?
I think it's useless. Perhaps if the card was able to be updated regularly with new definition of what 'change' in the OS can be defined as, then sure. But how's it going to support things like massive program installs, Window's updates, or the huge variety of Linux installations that are out there, half of which are as different as chalk and cheese?
Bah, useless. Go develope something we *really* need, like new interaction methods.
emerge from stealth mode
For some reason I can't get this to work. I read the man pages but it seems like emerge doesn't have a stealth mode? Let me know if I am missing something here before i go back to Ubuntu.
Funded by DARPA? Maybe that PCI card is a rootkit from the government itself! Have you given that a thought?
I'm a little curious as to how the card is going to notify the user the system may have been compromised. If it involves the host OS in any way (dialog box) it could be bypassed by the rootkit. Maybe an LED on the card will switch from green to red? How often are you going to remember to check it?
Momentarily confuse "bird-dogging" with "prarie-dogging"? I was like...wtf, how's that supposed to help.
And if it's reflashed the BIOS?
The only guaranteed way of detecting something like this is to slap the drive into a known-clean computer and know just what it is you're looking for.
Your computer is beeping. Someone must have installed a bomb in it. Quick call the cops. Then again.... In all seriousness beeping would be the best way to go especially since it will pretty much piss off anyone who is working with that computer and ensure that the problem is sovled post haste.
Ooo man the floppy drive is broken. No wait. The computer is just upside down.
You know, all this stuff I've read about rootkits lately could make a hell of an argument for anyone wanting to get their Operating System dug deep into new computers being sold if you ask me.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
It's going to take a combination of efforts similar to this and advanced heuristics to reduce the threat of rootkits. Solutions like Gamma will need eat a lot of R&D money as they struggle to counter holes that rootkits exploit. It's nice to see DARPA funding a project like this.
i know of at least one buffer overflow attack against the hard drive detection routines in award bios...
I don't know, a couple hundred K? You can get a stripped down Java VM onto a floppy disk (don't laugh! It was originally designed to be an embedded systems language) and RootkitOS could cut that down even farther, since it could afford to cut out all the features that the rootkit wouldn't need.
What does a rootkit need anyhow? One low level socket library for phoning the mothership or botnet, cloaking ability, disk i/o, and then the ability to let the overwhelming majority of host OS operations to pass through unimpeded? Just make it so that the cloaked memory/hard drive space is just not even addressable within the virtual machine. Everything else can be permitted.
Help poke pirates in the eyepatch, arr.
Shoot, I lied. Forget about a couple hundred K. If you buy that Java is in any way representative of the level of complexity this would require, you can likely do it in a couple dozen K. Quick Google search turned up a Java VM with a memory footprint of 10k.
Help poke pirates in the eyepatch, arr.
I doubt `HOIST.JPG.EXE (82MB)' is going to come in as an attachment. More likely a more mundane rootkit is first loaded by the malware, downloads this in the background, gets it all setup on the hard drive, then forces a `STOP Error'. At that point the original rootkit could be deleted and no trace of the infection would remain.
That said, this product seems interesting for its hardware approach. I wonder what kind of performance hit will result from installing this system.
Incidentally, the installer for bochs on windows is only 3,244,098 bytes.
They're there affecting their effect.
ELOI, ELOI, LAMA SABACHTHANI!?
When we get up to 16 core cpus, we could start dedicating one core entirely to one virtual detection core, making this hardware useless. Seeing as how this would be possible within the next 5 years, this hardware has already failed.
The best solution would be to have system boot into an antimalware system before the OS itself. This software could be signed with multiple public keys embedded in the firmware to prevent it from being co-opted by a rootkit. (And yes, you'd also need security to prevent the firmware from being overwritten by a rootkit.) This software would then scan the kernel and first load components (critical device drivers, etc) of the kernel, along with its own in-OS software, for known threats and would alert the user to any changes in their signatures. It would then load the OS and exit. The OS kernel would load, along with its first load components and then load the in-OS portion of the antimalware software, which would complete the circle and should serve to protect the OS from rootkits.
This reminds me of the old copy2pc ISA option board you could plug in way back in the day. It didn't take long before the whole card was replaced by an even better software-only solution. This "bird-dog" card seems to be a step backwards to the old hardware cards before the systems and software were powerful enough to get the job done. I imagine it will take about a day or so for numerous good rootkits to be written to sneak right past it natively.
Isn't that basically what "trusted computing" aims to accomplish?
Honestly, I just don't think there's a substitute for OS security. If a company can't stop your OS from being hijacked, there's no reason to think adding more layers of complexity to the system will help anything.
Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible. - that's a nice political twist for saying that the MS OS was 'had' by a smart rootkit :)
You can't handle the truth.
If DARPA (since they're a DEFENSE agency) would shoot 2 or 3 of the contributors to rootkit.com's website, the rest of us geeks might be able to focus on providing solutions to business problems. Oh, wait... ...that'd be so freaking boring... ...nevermind
-STankyG
People are always blaming their circumstances for what they are. I don't believe in circumstances...
S see no reason a Windows rootkit detector couldn't be written to run under Linux from a bootable CD. Then, you don't have to remove the hard drive. Not sure if it's proof against a rogue-flashed BIOS, but it should work against most of them.
Good, inexpensive web hosting
Um these stories indicate that *Windows* would be running in this VM. Please show me a Virtual Machine that can run Windows, or Linux so good that you don't even know its there - and is only a few hundred KB. Yes we all know there are all kinds of virtual machines that could run in a very small amount of space. I think the B.A.S.I.C. VM on my Commodore 64 was quite small - lets see that run Linux, or Windows.
There is a point where you have to stop and say - Is it reasonable for this to happen? If you have physical access, you lose security. Period.
"Sure there's porn and piracy on the Web but there's probably a downside too."
It seems to me this is an issue of Microsoft not wanting people to be happy with any present version of Windows, so that there will be customers for future versions.
It's not difficult to make a boot CD that checks the MD5 or SHA1 hash of all the files on a hard drive, and compares the results with correct hashes.
I was told by a top-level Microsoft technical support representative that ALL information on a hard drive in Windows is stored in files, except for the partition information, boot record, and file system structures.
Microsoft has access to all the files and file variations that are used in Windows, and all the common drivers used by manufacturers, too. It would be easy for Microsoft to make a hash database. It would be difficult for anyone else.
It seems to me that part of the problem with corruption of the operating system comes from the fact that Microsoft deliberately corrupted its own operating systems to achieve copy protection. Microsoft mixes OS files with program files. That makes it more difficult to make illegal copies of program files, and easier to hide attack files.
Wouldn't such devices violate the rumored, soon-to-be-proposed Intellectual Property Protection Act of 2006?
Doesn't all of this involve redoing the filesystem and moving the Windows partition into a file on the rootkit OS's partition? And wouldn't that basically take hours of heavy disk work? That seems harder to pull off on a lot of computers, either because they're being used, or being checked on from the network for tasks overnight?
I predict:
This happened to me in 15 minutes when reinstalling Windows for the umpteenth time. Love you MS!
Fighting over religion is like seeing whose imaginary friend is best.
Filter needs work, doesn't it? Either that, or both you and I had well thought out, but lame posts. I'm pretty darn sure mine was fine, and yours seems non-lame too. It's funny that you can game it with gibberish, but if you try to put certain quotes or two many --- together, it decides without reason that it is lame.
it sure is. This is actually exactly how the Sony PSP works, and it really stinks for trying to get homemade software to run on it.
The firmware in flash needs to be signed. All programs that run from any source (the cd thingy, the memory stick) also need to be signed. The only way to do anything is when clever people find buffer overflow exploits in that kernel. But that still doesn't allow you to have any permanent (in the flash) solution, since the flash needs to be signed. And that, of course, also has the non-sinister side effect of being really virus proof. Sure a virus could exploit that same buffer overflow we use to boot gamez and stuff on it, but as soon as you reboot its gone until the next time you stumble on its activation method again.
I'd rather have the viruses i reckon. but it sure helps sony stop people from grabbing and running illegal copies of software. I'm glad they totally ruined this device for all tinkerers just to save a few percent shitty game sales.
Why stick up for big business?
only a few chunks of the hard drive would have to be altered, everything else would be remapped on the fly by the rootkit filesystem access so to windows it looks like the MBR is normal, despite physically being now moved to somewhere in the middle of the drive
Snowden and Manning are heroes.
While waiting to determine why Microsoft is going to such trouble to advertise the insecurity of its present operating systems, you can use the free RootKit Revealer from SysInternals.
My guess is that Microsoft's effort is an attempt to create a demand for some future operating system that will be hardened against rootkits.
If this card works, then it would just get embeded in the mobo later anyway, but its a good start to stopping rootkits, other than not being an idiot when useing a computer. I have a better idea though...ms should just fix windows oh sorry thats a 'good' idea. The issue is that no matter what plans are put into action someone will find a way to do what they want, its that simple. Untill programmers (myself included) stop being lazy and companies stop demanding products to be finished in a hurry with low staff, software will be susepticle to flaws, especially if the OS is flawed. I say this for the 3 main OS's (Linux, Windows, Mac).
a new rootkit detection tool that builds on a prototype used by several sensitive U.S. government departments to find operating system abnormalities that may be linked to malicious rootkit activity.
Build one Linux source image with the kernel locked (no insmod modules). Problem solved. Why are they wasting our tax money?
Enjoy,
It's just the normal noises in here.
i finally have a reason to go into the store and ask for XXL condoms, they say they can protect against 99% of the viruses if used properly, i think i'm going to double up, i didn't understand the pregnancy part though, but hey, i dont mind as long as i'm protected.
:/
only one question has come to mind, is that the directions on the panflet are wrong, i can't find the device its showing me, could it be the end of a cat5?
Create a problem that doesn't exist to pimp your own Treacherous Computing initiative.
They'll be built in Shenzen or Venezuela or Czechoslovakia or maybe someplace where China has DEEP ties.
They US government (via some CIA (or other deep-cover/black-ops (so black that gravity and light and even THOUGHTS can't escape) org) front company will buy them in bulk, or encourage their sales into the US market (since the average user user/civilian/serf/subject is non-geek and won't even be SUSPICIOUS about such matters...).
Then, the US will have not only backbone, but capillary access to the Internets'* CNS.
But, China and others will have access to the circulatory system...
But, then China and the US will keep root-canaling each other... Hmmm, maybe China will not follow through on that multi-beelions "deal" with msoft. Would Linux be a better platform to be on, from a security standpoint if a PCI-based root detector can't detect a virus or unholy payload?
* Yes, Internets', not Internet's, heheheh
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
"...has anyone thought of the payload size needed to implement an entire virtual machine?"
Why does the payload size matter? A worm/virus can be quite tiny to infect the host machine - and only then does it need to download the rest of its bits.
I say that we take off ane nuke it from orbit... it's the only way to be sure.
Tinfoil hat time but:
/tries to remove tin-foil hat but gets shocked by hat's user protection "feature."
1) It's already illegal by the DMCA to bypass software "features" you don't want on your system. For example breaking DRM.
2) It's illegal to modify your hardware in ways the bureacrats decreed. For example mod chips for consoles.
3) Trusted computing means your computer hardware will have "features" like HDCP straight off the shelf.
It's becoming more and more like renting hardware that you don't have the property rights to.
So what can you do when you detect that rootkit
Will removing a RIAA, governnent licensed rootkit be criminalized? Because you must have intent to distribute copyrighted materials, otherwise you should have nothing to hide?
Or perhaps it will be that your hardware rootkit detector a remove a Fony rootkit up to 3 times. The same way a region code on a dvd drive can be only changed so many times with the manufacturers in cahoots with content providers.
Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible.
Windows: It's so insecure, not even DARPA can stop it.
(it's funny... laugh)
Big ones, small ones, some as big as yer 'ead!
Give 'em a twist, a flick o' the wrist...
It's time to start worrying when a market emerges for hardware-based rootkit detection.
Dreamhost 20gb space 1tb bandwidth. savings with promo code bigmoney
You mean something like this?
http://rsug.itd.umich.edu/software/radmind/
I bet hardware can fooled. Fancy software can be fooled too. Why? I have a really strong feeling that the problem of detecting a rootkit is undecidable.
http://en.wikipedia.org/wiki/Halting_problem
Try Helix. It has a couple of rootkit detectors and is Knoppix based.
I don't know, a couple hundred K? You can get a stripped down Java VM onto a floppy disk
/yes it's a VM/, the CLR of dot NET etc.)
It's beyond me how you ended with Java as an example of your virtual machine.
There's a categorical difference between a virtual machine that can run a set of bytecodes (Flash's virtual machine, Java's virtual machine, the JavaScript virtual machines in browsers
-- and --
a virtual machine that emulates an independent PC hardware unit in a sandbox (with all of the video, sounds, I/O, hardware support etc.). Or did I miss that and you can install and run Windows in Java VM natively?
And another thing, when you run in a virtual machine most of the hardware is emulated, therefore any peripherals you attach will either have to be emulated (impossible to emulate everything out there) or ignored.
You would notice if your PC functionality is suddenly stripped of any peripherals and 10x slower won't you?
The task is suddenly not as trivial.
...were originally funded by DARPA. Quick, unplug the network cable! Don't you realize They are controlling your mind via subliminal messages in Google Ads???
Intel started shipping desktop CPUs with virtualization technology last year. The virus doesn't need to implement the entire virtual machine.
Do you even lift?
These aren't the 'roids you're looking for.
Excuse me for not wanting to have sex with a woman that fucks HIV+ men.
"My guess is that Microsoft's effort is an attempt to create a demand for some future operating system that will be hardened against rootkits."
I belive that the future is now, and this OS... is OS (open source)...
www.freebsd.org
www.gentoo.org
www.opensolaris.org
rootkit free and loving it !
XML - A clever joke would be here if
Perhaps you missed the part about "pass through".
:)
This isn't VMWare. If you just want to 0wn a pc, you will be running the user OS exclusively, and can give it access to all hardware as normal.
The only IO resources you need to limit/filter is disk and memory IO to the areas of the system your rootkit inhabits, and of course network IO to hide any packets you are sending from host-based network analyzers.
Not simple, but not impossible (basically you take the source for a modern rootkit, and the source for something like xen, and cross-breed them
Fixed that for ya. Those parenthetical compiler errors can be a devil to find without a good debugger.
Just rootkit the os on installation with a 'good' rootkit.
The good rootkit wouldn't use any os services and would just be there to detect other rootkits and remove them. I would do so by querying the os for the files it thinks are on the disk, and removing those which are there but the os doesn't know about.
Microsoft are probably already considering this, which is why they have built the virtual machine root kit. Perhaps it will in windows vista (or rather advertised as being in windows vista but then removed at the last minute).
Um..well the BIOS on most PC's is only several 100KB and contains all that is needed for the basic operation of a PC.
So it's only logical to conclude that a VM wouldn't neciserily need to be much larger then this. Especialy if it was running as a layer directly above the BIOS proxying request from the OS to the system and then wrapping up instructions where the VM needs to apply it's own logic.
This type of VM wouldn't need to worry about schedualing or the more compex issues that come of running multiple os's on one machine.
It would merly be acting as an extra set of logic between the system and os.
The virus using a virtual machine would probably compromise existing virtual machine servers, and could script the copy of an existing virtual machine. At least thats what occurs to me off the top of my head. You CAN write data to the virtual HDD of a virtual machine while it's not loaded, usually. So it just writes itself into the boot sector or executable area of a virtual machine, and voila. Payload size hasnt dramatically increased.
Browsing with classic discussion, noscript, at -1 and nested
no hidden comments and I only mod UP
Sorry, I know it's O.T. but I just couldn't resist.
btw, I'll be repeating my newfound favorite analogy until my wife's sick and tired of it, so thanks from her too.
This space intentionally left (almost) blank.
Pretty big; around 130MB, if I recall (I may not; it's been a while). But don't worry,
In all seriousness, I don't think a full virtual machine would have to be implemented. All along, viruses have worked by just patching what is required to setup a modified environment.
OmniNerd has an article describing how rootkits function. Most of you are already familiar with them, but the underpinnings as to why software solutions will always fail are quite clear.
I, too, would be wary of a government hardware device installed in my own computer. It's all too evident the NSA has its hand in all communications already. Would anybody really trust a device that can intercept all data traffic? It's the master backdoor they've always wanted. Then again, who would you trust to manufacture such a card?
When you understand your disbelief in other gods, then you will understand my disbelief in yours.
LOL!!!
Seems YOU are functioning within operating normal parameters...
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
see no reason a Windows rootkit detector couldn't be written to run under Linux from a bootable CD
Actually, that is how our repair shop does it, but we use a CD bootable version of XP. Once booted without the rootkit being active, almost any AV can find the rootkit. Rename the rootkit executable, boot into the OS normally and run the AV again. No more rootkit.
((Strontium Beryllium) tinfoil hat)
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
So how did you detect the undetectable rootkit getting on your system within 15 minutes of installation?
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
My guess is that Microsoft's effort is an attempt to create a demand for some future operating system that will be hardened against rootkits.
You mean trusted computing? Gee, maybe MS would like to have some excuse for the unpopular idea of requiring all OS's to be signed by a central signing authority and monitored against tampering. Maybe MS is trying the idea out right now on the Xbox 360 as well.
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
It didn't crash as much =)
Fighting over religion is like seeing whose imaginary friend is best.
Bloody gonna need to bootstrap from the transistors up to be 100% safe. Don't forget to hand assemble your own compiler. Sheesh!
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
does it run Linux^W errr... on StrongARM? Or PowerPC? PDP? (What the hell does Blackberry run?!)
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
> Please show me a Virtual Machine that can run Windows, or Linux so good that you don't even know its there.
qemu. To average Joe Windows User, it's good enough. It's slower than native, but spyware, IE, etc. slow down Windows anyway.
My other car is first.
So you want to read a file and make a hash? Unfortunately, the rootkit has inserted itself into the OS. Read any other file and it will tell you the truth. Read an infected file and it will lie.
At least that's what I'd do if I was a rootkit.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
as the 15 other remaining cores will also be busy running other software:o sloooowsoooly
+ CPU's 1-5 screensaver.com's well written data collecting "*screensavers*"
+ CPU's 5-9 GAIN publishing's "let us store your secrets" weather/pwd utils
+ CPU's 10-14 bot nets - muhahahah!
+ CPU 15 Windooooooooooooooooooooooooooooooooooooooooooooo
leaving CPU 16.... oh damn so that's why IE 7 and office wouldn't load too!!
There needs to be a "+1 for Effort" mod option.
Yeah, right. Tell that to Olmy after the Jart hijacked his eyeballs...
He was running it in a virtual memory space as well, if I recall correctly, even if it was in his own grey matter.
Wouldn't the problem disappear if data execution is disabled? Seems to me that a lot of the "exploits" are related to execution of data payload as instruction code.
One of the reasons I suggested Linux is that if a CD bootable Windows system used any of the hard disk's system software, it'd be compromised. I wasn't sure if there was a CD bootable XP (or 2000) system that was sufficiantly self-contained, but I knew there are Linux distros that can do it. Thanx for letting me know.
Good, inexpensive web hosting
The only IO resources you need to limit/filter is disk and memory IO to the areas of the system your rootkit inhabits, and of course network IO to hide any packets you are sending from host-based network analyzers.
Thing is, without a driver telling you where the heck the network IO is, and how to "pass thru" it you're lost, so we're back to the drivers/hardware support issue.
All of those feature we take for granted, such as sound/network/video/disk functionality is because we have an OS and drivers abstracting them. Without the drivers you will not only not know what you're passing through, and therefore not being able to use or filter the network, but you may also not be able to reach many of the new interfaces such as USB that use more sophisticated interfaces.
You didn't read the part about it being a boot CD. It could boot from a CD supplied by Microsoft, so that there could be no possibility of the OS that was active during hash collection being compromised.
Linux has the capability of reading NTFS files, so it is possible to make a Linux CD to do the checking. However, no one outside Microsoft has all the file variations.
I wonder if, in the future, computers will have multiple unique, separate and heterogenious operating systems which communicate through some type of decision protocol/bus. The idea of an external HT spec and the Opteron socketted FPGA make the idea of having different hardware/OS's that make decisions by committee sound theoretically feasable. If anyone has ever seen Neon Genesis: Evangelion, the idea reminds me of the 3 supercomputer minds used to make decisions. And hopefully, should a very deep attack occur, it would not be feasable to attack all 'minds' at the same time with the same attack so that the resiliant 'minds' could deal with the infected 'mind'.
I do security
Sorry, but the post is wrong. The preposed rootkit by MS, and indeed every VM-based rootkit under x86 until virtualization support becomes more of a reality will be detectable. Basically, there are many instructions and data structures that are required by the OS that the architecture never anticipated needing to deal with two of them, for instance the interrupt descriptor table, or the global descriptor table.