Slashdot Mirror

← Back to Stories (view on slashdot.org)

DARPA Funded Startup to 'Bird-Dog' Rootkits

Posted by ryuzaki0 on from the tails-of-woe dept.

Ski_Bird writes "DARPA is funding a startup the supposedly has a unique approach to detect rootkits. The startup, Komoku, is ready to 'emerge from stealth mode with hardware and software-based technologies to fight the rapid spread of malicious rootkits.' They have a PCI card that doesn't necessarily determine that a rootkit is installed, only that the O/S has changed dramatically enough to warrant investigation. Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible."

7 of 124 comments (clear)

  1. Re:Hardware can't be fooled like the operating sys by Anonymous Coward · · Score: 5, Funny

    I'm more interested in what Sony has to say about this development.

  2. emerge? by Hack+Jandy · · Score: 4, Funny

    emerge from stealth mode

    For some reason I can't get this to work. I read the man pages but it seems like emerge doesn't have a stealth mode? Let me know if I am missing something here before i go back to Ubuntu.

  3. Built in OS by Joebert · · Score: 4, Insightful

    You know, all this stuff I've read about rootkits lately could make a hell of an argument for anyone wanting to get their Operating System dug deep into new computers being sold if you ask me.

    --
    Wanna fight ? Bend over, stick your head up your ass, and fight for air.
  4. Re:Hardware can't be fooled like the operating sys by patio11 · · Score: 4, Insightful
    [quote]The story keeps coming up that Windows, or Linux could be hoisted up into a virtual machine and antivirus software can never detect it - but has anyone thought of the payload size needed to implement an entire virtual machine?[/quote]

    I don't know, a couple hundred K? You can get a stripped down Java VM onto a floppy disk (don't laugh! It was originally designed to be an embedded systems language) and RootkitOS could cut that down even farther, since it could afford to cut out all the features that the rootkit wouldn't need.

    What does a rootkit need anyhow? One low level socket library for phoning the mothership or botnet, cloaking ability, disk i/o, and then the ability to let the overwhelming majority of host OS operations to pass through unimpeded? Just make it so that the cloaked memory/hard drive space is just not even addressable within the virtual machine. Everything else can be permitted.

    --
    Help poke pirates in the eyepatch, arr.
  5. Isn't that... by Aurisor · · Score: 4, Informative

    Isn't that basically what "trusted computing" aims to accomplish?

    Honestly, I just don't think there's a substitute for OS security. If a company can't stop your OS from being hijacked, there's no reason to think adding more layers of complexity to the system will help anything.

  6. Re:Notification by MBCook · · Score: 4, Interesting
    Here are the things I can think of and the pros/cons:
    • Blink a LED - Cheap, but requires looking at a LED (easy in a server environment maybe, but not for 1000 corporate desktops).
    • Sound an Alarm - Noticeable, but loud and annoying, especially if false alarms exist more often than "almost never".
    • Network - Give it a network interface (sort of like pre-boot management interfaces on expensive servers), but it could easily notify people anywhere this way. Expensive though, needs network ports.
    • Wireless - Some kind of wireless response (so you walk by it with a little scanner and it says clean or compromised) not cheap, possibly short range, requires scanner.
    • Software - Easiest, but could be compromised unless it used the BIOS to send the message out somehow during boot.
    • Other - Things like the voodoo pass-though (mentioned in another reply), causing the keyboard LEDs to flash, and other such things. Tend to be kind of hokey.
    --
    Comment forecast: Bits of genius surrounded by a sea of mediocrity.
  7. Will it be legal to remove the rootkit? by beoswulf · · Score: 4, Insightful

    Tinfoil hat time but:
    1) It's already illegal by the DMCA to bypass software "features" you don't want on your system. For example breaking DRM.

    2) It's illegal to modify your hardware in ways the bureacrats decreed. For example mod chips for consoles.

    3) Trusted computing means your computer hardware will have "features" like HDCP straight off the shelf.

    It's becoming more and more like renting hardware that you don't have the property rights to.

    So what can you do when you detect that rootkit

    Will removing a RIAA, governnent licensed rootkit be criminalized? Because you must have intent to distribute copyrighted materials, otherwise you should have nothing to hide?

    Or perhaps it will be that your hardware rootkit detector a remove a Fony rootkit up to 3 times. The same way a region code on a dvd drive can be only changed so many times with the manufacturers in cahoots with content providers. /tries to remove tin-foil hat but gets shocked by hat's user protection "feature."