DARPA Funded Startup to 'Bird-Dog' Rootkits

Ski_Bird writes "DARPA is funding a startup the supposedly has a unique approach to detect rootkits. The startup, Komoku, is ready to 'emerge from stealth mode with hardware and software-based technologies to fight the rapid spread of malicious rootkits.' They have a PCI card that doesn't necessarily determine that a rootkit is installed, only that the O/S has changed dramatically enough to warrant investigation. Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible."

Hardware can't be fooled like the operating system

[IntelliAdmin]

The story keeps coming up that Windows, or Linux could be hoisted up into a virtual machine and antivirus software can never detect it - but has anyone thought of the payload size needed to implement an entire virtual machine? It will be interesting to see what type of software comes out of this research since this is using hardware to detect changes at the bus level - that way the rootkit or virus cannot use its trickery to hide itself.

Re:Hardware can't be fooled like the operating sys

I'm more interested in what Sony has to say about this development.

emerge?

[Hack+Jandy]

emerge from stealth mode

For some reason I can't get this to work. I read the man pages but it seems like emerge doesn't have a stealth mode? Let me know if I am missing something here before i go back to Ubuntu.

Government Rootkit

Funded by DARPA? Maybe that PCI card is a rootkit from the government itself! Have you given that a thought?

Re:Government Rootkit

[davidsyes]

Just last week I was (re)wondering whether or not all our provided/purchased cable-modems are under a national security order to be "backdoorable". Hell, the telcos have been in bed with the government for maybe all of their existence, at least the past 20 years, I suppose.

Then, I started pondering... "Hmmm... if Slashdot itself is a government DARPA project....to weed out targettable, unloyal, unsavor engineers and geeks..."

Built in OS

[Joebert]

You know, all this stuff I've read about rootkits lately could make a hell of an argument for anyone wanting to get their Operating System dug deep into new computers being sold if you ask me.

Re:Built in OS

[jmv]

Operating System dug deep into new computers being sold

You mean having all your OS buffer overflows built in the hardware?

Re:Hardware can't be fooled like the operating sys

[patio11]

[quote]The story keeps coming up that Windows, or Linux could be hoisted up into a virtual machine and antivirus software can never detect it - but has anyone thought of the payload size needed to implement an entire virtual machine?[/quote]

I don't know, a couple hundred K? You can get a stripped down Java VM onto a floppy disk (don't laugh! It was originally designed to be an embedded systems language) and RootkitOS could cut that down even farther, since it could afford to cut out all the features that the rootkit wouldn't need.

What does a rootkit need anyhow? One low level socket library for phoning the mothership or botnet, cloaking ability, disk i/o, and then the ability to let the overwhelming majority of host OS operations to pass through unimpeded? Just make it so that the cloaked memory/hard drive space is just not even addressable within the virtual machine. Everything else can be permitted.

Re:Hardware can't be fooled like the operating sys

[patio11]

Shoot, I lied. Forget about a couple hundred K. If you buy that Java is in any way representative of the level of complexity this would require, you can likely do it in a couple dozen K. Quick Google search turned up a Java VM with a memory footprint of 10k.

Re:Hardware can't be fooled like the operating sys

[LordOfTheNoobs]

I doubt `HOIST.JPG.EXE (82MB)' is going to come in as an attachment. More likely a more mundane rootkit is first loaded by the malware, downloads this in the background, gets it all setup on the hard drive, then forces a `STOP Error'. At that point the original rootkit could be deleted and no trace of the infection would remain.

That said, this product seems interesting for its hardware approach. I wonder what kind of performance hit will result from installing this system.

Incidentally, the installer for bochs on windows is only 3,244,098 bytes.

A lot of good it will do... (was:Notification)

[Lead+Butthead]

I'm a little curious as to how the card is going to notify the user the system may have been compromised. If it involves the host OS in any way (dialog box) it could be bypassed by the rootkit. Maybe an LED on the card will switch from green to red? How often are you going to remember to check it?

A lot of good it will do if it's triggered everytime Microsoft releases a "security update."

Isn't that...

[Aurisor]

Isn't that basically what "trusted computing" aims to accomplish?

Honestly, I just don't think there's a substitute for OS security. If a company can't stop your OS from being hijacked, there's no reason to think adding more layers of complexity to the system will help anything.

MS 'demonstrated'

[roman_mir]

Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible. - that's a nice political twist for saying that the MS OS was 'had' by a smart rootkit :)

Re:Notification

[MBCook]

Here are the things I can think of and the pros/cons:

• Blink a LED - Cheap, but requires looking at a LED (easy in a server environment maybe, but not for 1000 corporate desktops).
• Sound an Alarm - Noticeable, but loud and annoying, especially if false alarms exist more often than "almost never".
• Network - Give it a network interface (sort of like pre-boot management interfaces on expensive servers), but it could easily notify people anywhere this way. Expensive though, needs network ports.
• Wireless - Some kind of wireless response (so you walk by it with a little scanner and it says clean or compromised) not cheap, possibly short range, requires scanner.
• Software - Easiest, but could be compromised unless it used the BIOS to send the message out somehow during boot.
• Other - Things like the voodoo pass-though (mentioned in another reply), causing the keyboard LEDs to flash, and other such things. Tend to be kind of hokey.

Re:Hardware can't be fooled like the operating sys

[techno-vampire]

S see no reason a Windows rootkit detector couldn't be written to run under Linux from a bootable CD. Then, you don't have to remove the hard drive. Not sure if it's proof against a rogue-flashed BIOS, but it should work against most of them.

Why, Microsoft? RootKit Revealer from SysInternals

[Futurepower(R)]

While waiting to determine why Microsoft is going to such trouble to advertise the insecurity of its present operating systems, you can use the free RootKit Revealer from SysInternals.

My guess is that Microsoft's effort is an attempt to create a demand for some future operating system that will be hardened against rootkits.

'if' it works it'll just get embeded later

If this card works, then it would just get embeded in the mobo later anyway, but its a good start to stopping rootkits, other than not being an idiot when useing a computer. I have a better idea though...ms should just fix windows oh sorry thats a 'good' idea. The issue is that no matter what plans are put into action someone will find a way to do what they want, its that simple. Untill programmers (myself included) stop being lazy and companies stop demanding products to be finished in a hurry with low staff, software will be susepticle to flaws, especially if the OS is flawed. I say this for the 3 main OS's (Linux, Windows, Mac).

Re:Built in OS Funny thing is...

[davidsyes]

They'll be built in Shenzen or Venezuela or Czechoslovakia or maybe someplace where China has DEEP ties.

They US government (via some CIA (or other deep-cover/black-ops (so black that gravity and light and even THOUGHTS can't escape) org) front company will buy them in bulk, or encourage their sales into the US market (since the average user user/civilian/serf/subject is non-geek and won't even be SUSPICIOUS about such matters...).

Then, the US will have not only backbone, but capillary access to the Internets'* CNS.

But, China and others will have access to the circulatory system...

But, then China and the US will keep root-canaling each other... Hmmm, maybe China will not follow through on that multi-beelions "deal" with msoft. Would Linux be a better platform to be on, from a security standpoint if a PCI-based root detector can't detect a virus or unholy payload?

* Yes, Internets', not Internet's, heheheh

Will it be legal to remove the rootkit?

[beoswulf]

Tinfoil hat time but:
1) It's already illegal by the DMCA to bypass software "features" you don't want on your system. For example breaking DRM.

2) It's illegal to modify your hardware in ways the bureacrats decreed. For example mod chips for consoles.

3) Trusted computing means your computer hardware will have "features" like HDCP straight off the shelf.

It's becoming more and more like renting hardware that you don't have the property rights to.

So what can you do when you detect that rootkit

Will removing a RIAA, governnent licensed rootkit be criminalized? Because you must have intent to distribute copyrighted materials, otherwise you should have nothing to hide?

Or perhaps it will be that your hardware rootkit detector a remove a Fony rootkit up to 3 times. The same way a region code on a dvd drive can be only changed so many times with the manufacturers in cahoots with content providers. /tries to remove tin-foil hat but gets shocked by hat's user protection "feature."

Windows...

[XMilkProject]

Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible.

Windows: It's so insecure, not even DARPA can stop it.

(it's funny... laugh)