[ISN] Government-Funded Startup Blasts Rootkits

InfoSec News isn at c4i.org
Tue Apr 25 03:28:15 EDT 2006


http://www.eweek.com/article2/0,1895,1951941,00.asp

By Ryan Naraine 
April 24, 2006 

A startup funded by the U.S. government's Defense Advanced Research
Projects Agency is ready to emerge from stealth mode with hardware-
and software-based technologies to fight the rapid spread of malicious
rootkits.

Komoku, of College Park, Md., plans to ship a beta of Gamma, a new
rootkit detection tool that builds on a prototype used by several
sensitive U.S. government departments to find operating system
abnormalities that may be linked to malicious rootkit activity.

A rootkit modifies the flow of the kernel to hide the presence of an
attack or compromise on a machine. It gives a hacker remote user
access to a compromised system while avoiding detection from
anti-virus scanners.

The company's prototype, called CoPilot, is a high-assurance PCI card
capable of monitoring the host's memory and file system at the
hardware level. It is specifically geared towards high-security
servers and computers.

Gamma, meanwhile, is a separate, software-only clone of CoPilot that
will target businesses interested in a low-assurance tool for
protecting laptops and personal computers.

Komoku launched quietly in 2004 with about $2.5 million in funding and
rootkit detection contracts from DARPA, the Department of Homeland
Security and the U.S. Navy.

The company has its roots at the University of Maryland, where
computer scientist William Arbaugh worked on what he calls a "unique
approach" to finding rootkits.

"Security technologies depend on the correctness of the system they're
actually checking," said Arbaugh, who now serves as president of the
five-employee outfit.

"If something changes the system at the operating system level, it
can't be reliably detected via the OS itself or through applications
running on the system," he said in an interview with eWEEK.

"We have this notion of what the operating system is supposed to look
like and we look for deviations [from] that. We aren't initially
looking for the rootkit; we look at the side effects of the
infection."

Komoku has partnered with security vendor Symantec to handle
disinfection and restoration after rootkits and other sophisticated
forms of malware are detected.

Symantec's LiveState product combines with CoPilot and Gamma to
restore the system to its original state.

Jamie Butler, a renowned rootkit researcher who works as Komoku's
chief technical officer, said Gamma will have limited clean-up
capabilities because it is software-based and susceptible to direct
attack, much like any application running on the operating system.

"Clean-up is a very difficult goal while maintaining a running system.  
When you find a rootkit, you essentially have several choices. The
easiest choice is to halt the system. But, that means that you'll lose
any evidence that might be in memory. It also means that the services
provided by that system are made unavailable," Butler explained.

Another choice might be to eliminate the effects of the rootkit, but
this could be very difficult because of the complicated nature of an
operating system.

A third choice would be to allow the rootkit to remain active while
you attempt to discern its motives, Butler added, noting that both
Gamma and CoPilot will allow all three of these choices.

The plan is to have both the hardware and software versions collect
forensic data when a compromise is detected. Butler said products are
able to capture hidden malware in memory and send it back to a central
management station where the products are running in enterprise mode.

The company is also exploring potential partnerships with other
security companies that have offline malware analysis tools, he said.

Pricing details have not yet been worked out, but Arbaugh expects to
ship CoPilot to high-end enterprises with super-sensitive data.

Gamma, on the other hand, is a lower-assurance product and is aimed at
protecting business assets that don't require high-end security
protection or are unable to install hardware.

Arbaugh said Gamma has been built with two modes of operation: an
enterprise mode where it communicates with a central server to receive
updates and incident reports, and a stand-alone mode where incidents
are reported locally.

Updates will be available via a subscription service similar to those
in the anti-virus space, he said.

Citing confidentiality issues, Arbaugh declined to discuss the
severity of the rootkit threat on government networks. However, he
said that during actual CoPilot tests, it was "very clear that the
government shares the same problems like everyone else."

The product was in the midst of testing on the U.S. Navy networks when
news of the Sony rootkit issue made headlines in November 2005.

"That was a zero-day rootkit to us, so we decided to throw it at
CoPilot as part of the operational tests. We detected the Sony rootkit
in all its vectors, in real-time," Butler said.

According to statistics from Microsoft, rootkits account for more than
20 percent of all malicious programs removed from Windows machines.

The stealthy technology has been found in a variety of threats,
including spyware, Trojans and DRM (digital rights management).





More information about the ISN mailing list