DARPA Funded Startup to 'Bird-Dog' Rootkits

← Back to Stories (view on slashdot.org)

DARPA Funded Startup to 'Bird-Dog' Rootkits

Posted by ryuzaki0 on Monday April 24, 2006 @01:38PM from the tails-of-woe dept.

Ski_Bird writes "DARPA is funding a startup the supposedly has a unique approach to detect rootkits. The startup, Komoku, is ready to 'emerge from stealth mode with hardware and software-based technologies to fight the rapid spread of malicious rootkits.' They have a PCI card that doesn't necessarily determine that a rootkit is installed, only that the O/S has changed dramatically enough to warrant investigation. Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible."

6 of 124 comments (clear)

Min score:

Reason:

Sort:

Hardware can't be fooled like the operating system by IntelliAdmin · 2006-04-24 13:39 · Score: 2, Interesting

The story keeps coming up that Windows, or Linux could be hoisted up into a virtual machine and antivirus software can never detect it - but has anyone thought of the payload size needed to implement an entire virtual machine? It will be interesting to see what type of software comes out of this research since this is using hardware to detect changes at the bus level - that way the rootkit or virus cannot use its trickery to hide itself.
Re:Hardware can't be fooled like the operating sys by patio11 · 2006-04-24 14:05 · Score: 3, Interesting

Shoot, I lied. Forget about a couple hundred K. If you buy that Java is in any way representative of the level of complexity this would require, you can likely do it in a couple dozen K. Quick Google search turned up a Java VM with a memory footprint of 10k.

--
Help poke pirates in the eyepatch, arr.
Re:Notification by MBCook · 2006-04-24 14:19 · Score: 4, Interesting
Here are the things I can think of and the pros/cons:
- Blink a LED - Cheap, but requires looking at a LED (easy in a server environment maybe, but not for 1000 corporate desktops).
- Sound an Alarm - Noticeable, but loud and annoying, especially if false alarms exist more often than "almost never".
- Network - Give it a network interface (sort of like pre-boot management interfaces on expensive servers), but it could easily notify people anywhere this way. Expensive though, needs network ports.
- Wireless - Some kind of wireless response (so you walk by it with a little scanner and it says clean or compromised) not cheap, possibly short range, requires scanner.
- Software - Easiest, but could be compromised unless it used the BIOS to send the message out somehow during boot.
- Other - Things like the voodoo pass-though (mentioned in another reply), causing the keyboard LEDs to flash, and other such things. Tend to be kind of hokey.
--
Comment forecast: Bits of genius surrounded by a sea of mediocrity.
Re:Built in OS by jmv · 2006-04-24 14:39 · Score: 3, Interesting

Operating System dug deep into new computers being sold

You mean having all your OS buffer overflows built in the hardware?

--
Opus: the Swiss army knife of audio codec
'if' it works it'll just get embeded later by Anonymous Coward · 2006-04-24 15:05 · Score: 2, Interesting

If this card works, then it would just get embeded in the mobo later anyway, but its a good start to stopping rootkits, other than not being an idiot when useing a computer. I have a better idea though...ms should just fix windows oh sorry thats a 'good' idea. The issue is that no matter what plans are put into action someone will find a way to do what they want, its that simple. Untill programmers (myself included) stop being lazy and companies stop demanding products to be finished in a hurry with low staff, software will be susepticle to flaws, especially if the OS is flawed. I say this for the 3 main OS's (Linux, Windows, Mac).
Re:Built in OS Funny thing is... by davidsyes · 2006-04-24 15:42 · Score: 2, Interesting

They'll be built in Shenzen or Venezuela or Czechoslovakia or maybe someplace where China has DEEP ties.

They US government (via some CIA (or other deep-cover/black-ops (so black that gravity and light and even THOUGHTS can't escape) org) front company will buy them in bulk, or encourage their sales into the US market (since the average user user/civilian/serf/subject is non-geek and won't even be SUSPICIOUS about such matters...).

Then, the US will have not only backbone, but capillary access to the Internets'* CNS.

But, China and others will have access to the circulatory system...

But, then China and the US will keep root-canaling each other... Hmmm, maybe China will not follow through on that multi-beelions "deal" with msoft. Would Linux be a better platform to be on, from a security standpoint if a PCI-based root detector can't detect a virus or unholy payload?

* Yes, Internets', not Internet's, heheheh

--
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"