DARPA Funded Startup to 'Bird-Dog' Rootkits

Ski_Bird writes "DARPA is funding a startup the supposedly has a unique approach to detect rootkits. The startup, Komoku, is ready to 'emerge from stealth mode with hardware and software-based technologies to fight the rapid spread of malicious rootkits.' They have a PCI card that doesn't necessarily determine that a rootkit is installed, only that the O/S has changed dramatically enough to warrant investigation. Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible."

Re:Hardware can't be fooled like the operating sys

I'm more interested in what Sony has to say about this development.

emerge?

[Hack+Jandy]

emerge from stealth mode

For some reason I can't get this to work. I read the man pages but it seems like emerge doesn't have a stealth mode? Let me know if I am missing something here before i go back to Ubuntu.

Built in OS

[Joebert]

You know, all this stuff I've read about rootkits lately could make a hell of an argument for anyone wanting to get their Operating System dug deep into new computers being sold if you ask me.

Re:Built in OS

[jmv]

Operating System dug deep into new computers being sold

You mean having all your OS buffer overflows built in the hardware?

Re:Hardware can't be fooled like the operating sys

[patio11]

[quote]The story keeps coming up that Windows, or Linux could be hoisted up into a virtual machine and antivirus software can never detect it - but has anyone thought of the payload size needed to implement an entire virtual machine?[/quote]

I don't know, a couple hundred K? You can get a stripped down Java VM onto a floppy disk (don't laugh! It was originally designed to be an embedded systems language) and RootkitOS could cut that down even farther, since it could afford to cut out all the features that the rootkit wouldn't need.

What does a rootkit need anyhow? One low level socket library for phoning the mothership or botnet, cloaking ability, disk i/o, and then the ability to let the overwhelming majority of host OS operations to pass through unimpeded? Just make it so that the cloaked memory/hard drive space is just not even addressable within the virtual machine. Everything else can be permitted.

Re:Hardware can't be fooled like the operating sys

[patio11]

Shoot, I lied. Forget about a couple hundred K. If you buy that Java is in any way representative of the level of complexity this would require, you can likely do it in a couple dozen K. Quick Google search turned up a Java VM with a memory footprint of 10k.

A lot of good it will do... (was:Notification)

[Lead+Butthead]

I'm a little curious as to how the card is going to notify the user the system may have been compromised. If it involves the host OS in any way (dialog box) it could be bypassed by the rootkit. Maybe an LED on the card will switch from green to red? How often are you going to remember to check it?

A lot of good it will do if it's triggered everytime Microsoft releases a "security update."

Isn't that...

[Aurisor]

Isn't that basically what "trusted computing" aims to accomplish?

Honestly, I just don't think there's a substitute for OS security. If a company can't stop your OS from being hijacked, there's no reason to think adding more layers of complexity to the system will help anything.

Re:Notification

[MBCook]

Here are the things I can think of and the pros/cons:

• Blink a LED - Cheap, but requires looking at a LED (easy in a server environment maybe, but not for 1000 corporate desktops).
• Sound an Alarm - Noticeable, but loud and annoying, especially if false alarms exist more often than "almost never".
• Network - Give it a network interface (sort of like pre-boot management interfaces on expensive servers), but it could easily notify people anywhere this way. Expensive though, needs network ports.
• Wireless - Some kind of wireless response (so you walk by it with a little scanner and it says clean or compromised) not cheap, possibly short range, requires scanner.
• Software - Easiest, but could be compromised unless it used the BIOS to send the message out somehow during boot.
• Other - Things like the voodoo pass-though (mentioned in another reply), causing the keyboard LEDs to flash, and other such things. Tend to be kind of hokey.

Re:Hardware can't be fooled like the operating sys

[techno-vampire]

S see no reason a Windows rootkit detector couldn't be written to run under Linux from a bootable CD. Then, you don't have to remove the hard drive. Not sure if it's proof against a rogue-flashed BIOS, but it should work against most of them.

Will it be legal to remove the rootkit?

[beoswulf]

Tinfoil hat time but:
1) It's already illegal by the DMCA to bypass software "features" you don't want on your system. For example breaking DRM.

2) It's illegal to modify your hardware in ways the bureacrats decreed. For example mod chips for consoles.

3) Trusted computing means your computer hardware will have "features" like HDCP straight off the shelf.

It's becoming more and more like renting hardware that you don't have the property rights to.

So what can you do when you detect that rootkit

Will removing a RIAA, governnent licensed rootkit be criminalized? Because you must have intent to distribute copyrighted materials, otherwise you should have nothing to hide?

Or perhaps it will be that your hardware rootkit detector a remove a Fony rootkit up to 3 times. The same way a region code on a dvd drive can be only changed so many times with the manufacturers in cahoots with content providers. /tries to remove tin-foil hat but gets shocked by hat's user protection "feature."

Windows...

[XMilkProject]

Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible.

Windows: It's so insecure, not even DARPA can stop it.

(it's funny... laugh)