DARPA Funded Startup to 'Bird-Dog' Rootkits 124
Ski_Bird writes "DARPA is funding a startup the supposedly has a unique approach to detect rootkits. The startup, Komoku, is ready to 'emerge from stealth mode with hardware and software-based technologies to fight the rapid spread of malicious rootkits.' They have a PCI card that doesn't necessarily determine that a rootkit is installed, only that the O/S has changed dramatically enough to warrant investigation. Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible."
Hardware can't be fooled like the operating system (Score:2, Interesting)
Re:Hardware can't be fooled like the operating sys (Score:5, Funny)
Quis custodiet ipsos custodes ? (Score:1)
Bloody gonna need to bootstrap from the transistors up to be 100% safe. Don't forget to hand assemble your own compiler. [bell-labs.com] Sheesh!
Re:Hardware can't be fooled like the operating sys (Score:2)
There is a point where you have to stop and say - Is it reasonable for this to happen? If you have physical access, you lose security. Period.
Re:Hardware can't be fooled like the operating sys (Score:4, Insightful)
Re:Hardware can't be fooled like the operating sys (Score:2)
Re:Hardware can't be fooled like the operating sys (Score:1)
Make a boot CD that checks the MD5 or SHA1 hashes. (Score:2)
It's not difficult to make a boot CD that checks the MD5 or SHA1 hash of all the files on a hard drive, and compares the results with correct hashes.
I was told by a top-level Microsoft technical support representative that ALL information on a hard drive in Windows is stored in files, except for the partition information, boot record, and
I Don't think you understand the concept (Score:2)
At least that's what I'd do if I was a rootkit.
"boot CD" (Score:2)
Linux has the capability of reading NTFS files, so it is possible to make a Linux CD to do the checking. However, no one outside Microsoft has all the file variations.
Re:Hardware can't be fooled like the operating sys (Score:5, Insightful)
I don't know, a couple hundred K? You can get a stripped down Java VM onto a floppy disk (don't laugh! It was originally designed to be an embedded systems language) and RootkitOS could cut that down even farther, since it could afford to cut out all the features that the rootkit wouldn't need.
What does a rootkit need anyhow? One low level socket library for phoning the mothership or botnet, cloaking ability, disk i/o, and then the ability to let the overwhelming majority of host OS operations to pass through unimpeded? Just make it so that the cloaked memory/hard drive space is just not even addressable within the virtual machine. Everything else can be permitted.
Re:Hardware can't be fooled like the operating sys (Score:4, Interesting)
Re:Hardware can't be fooled like the operating sys (Score:2)
Re:Hardware can't be fooled like the operating sys (Score:1)
So it's only logical to conclude that a VM wouldn't neciserily need to be much larger then this. Especialy if it was running as a layer directly above the BIOS proxying request from the OS to the system and then wrapping up instructions where the VM needs to apply it's own logic.
This type of VM wouldn't need to worry about schedualing or the more compex issues that come of running multiple os
Re:Hardware can't be fooled like the operating sys (Score:2)
qemu [bellard.free.fr]. To average Joe Windows User, it's good enough. It's slower than native, but spyware, IE, etc. slow down Windows anyway.
Re:Hardware can't be fooled like the operating sys (Score:2)
Re:Hardware can't be fooled like the operating sys (Score:2)
Re:Hardware can't be fooled like the operating sys (Score:1)
only one question has come to mind, is that the directions on the panflet are wrong, i can't find the device its showing me, could it be the end of a cat5?
Re:Hardware can't be fooled like the operating sys (Score:1)
Re:Hardware can't be fooled like the operating sys (Score:2)
It's beyond me how you ended with Java as an example of your virtual machine.
There's a categorical difference between a virtual machine that can run a set of bytecodes (Flash's virtual machine, Java's virtual machine, the JavaScript virtual machines in browsers
-- and --
a virtual machine that emulates an independent PC hardware unit in a sandbox (with all of the video, sounds, I/O
Re:Hardware can't be fooled like the operating sys (Score:2)
Thing is, without a driver telling you where the heck the network IO is, and how to "pass thru" it you're lost, so we're back to the drivers/hardware support issue.
All of those feature we take for granted, such as sound/network/video/disk functionality is because we have an OS and drivers abstract
Re:Hardware can't be fooled like the operating sys (Score:2, Informative)
That said, this product seems interesting for its hardware approach. I wonder what kind of performance hit will result from installing this system.
Incidentally, the installer for
Re:Hardware can't be fooled like the operating sys (Score:2)
Why does the payload size matter? A worm/virus can be quite tiny to infect the host machine - and only then does it need to download the rest of its bits.
Re:Hardware can't be fooled like the operating sys (Score:2)
http://rsug.itd.umich.edu/software/radmind/ [umich.edu]
Re:Hardware can't be fooled like the operating sys (Score:1)
Intel started shipping desktop CPUs with virtualization technology last year. The virus doesn't need to implement the entire virtual machine.
Re:Hardware can't be fooled like the operating sys (Score:1)
Re:Hardware can't be fooled like the operating sys (Score:2)
Pretty big; around 130MB, if I recall (I may not; it's been a while). But don't worry, .NET comes right on your windows CD lately. Presumably it wouldn't take much to launch everything in a slightly modified version.
In all seriousness, I don't think a full virtual machine would have to be implemented. All along, viruses have worked by just patching what is required to setup a modified environment.
Mmmmm... Chaaaaaaalk... (Score:2)
btw, I'll be repeating my newfound favorite analogy until my wife's sick and tired of it, so thanks from her too.
emerge? (Score:5, Funny)
For some reason I can't get this to work. I read the man pages but it seems like emerge doesn't have a stealth mode? Let me know if I am missing something here before i go back to Ubuntu.
Re:emerge? (Score:1, Funny)
l337 haxx0r hates n00bz!!!
P.S. The next time you post attach 'emerge --info'.
Re:emerge? (Score:1)
C'mon. It's funny. Laugh. And maybe visit a Gentoo forum (they're funny too!).
(Not to knock Gentoo -- it's a decent distro. But some of the posts on the forums are, shall we say, a bit over the top.)
Re:emerge? (Score:1)
Re:emerge? (Score:2)
Mod this redundant, because it is.
Government Rootkit (Score:2, Insightful)
Re:Government Rootkit (Score:2)
Re:Government Rootkit (Score:1)
No problem, just pop in another non-DARPA-funded-rootkit-detecting PCI card!
Re:Government Rootkit (Score:1)
yeah but.... (Score:1)
Re:Government Rootkit (Score:3, Funny)
Then, I started pondering... "Hmmm... if Slashdot itself is a government DARPA project....to weed out targettable, unloyal, unsavor engineers and geeks..."
Re:Government Rootkit (Score:2)
Re:Government Rootkit Will Strontillium work? (Score:2)
Re:Government Rootkit (Score:1)
Re:Government Rootkit (Score:2)
Of course, this assumes the user is us
Well, the intertnets... (Score:2)
Notification (Score:2)
Have it start beeping (Score:2)
Your computer is beeping. Someone must have installed a bomb in it. Quick call the cops. Then again.... In all seriousness beeping would be the best way to go especially since it will pretty much piss off a
Re:Have it start beeping (Score:1)
Re:Notification (Score:2)
A lot of good it will do... (was:Notification) (Score:4, Funny)
Re:Notification (Score:5, Interesting)
Re:Notification (Score:2)
Re:Notification (Score:2)
More likely though, it would probably write the event over the network to a monitoring server. After all the PCI card is designed for high-availabilty and secure solutions, so it wouldn't suprise me if it required a network connection.
Re:Notification (Score:2)
Re:Notification (Score:1)
Built in OS (Score:4, Insightful)
Re:Built in OS (Score:4, Interesting)
You mean having all your OS buffer overflows built in the hardware?
Re:Built in OS Funny thing is... (Score:3, Interesting)
They US government (via some CIA (or other deep-cover/black-ops (so black that gravity and light and even THOUGHTS can't escape) org) front company will buy them in bulk, or encourage their sales into the US market (since the average user user/civilian/serf/subject is non-geek and won't even be SUSPICIOUS about such matters...).
Then, the US will have not only backbone, but capillary access to the Internet
Re:Built in OS Funny thing is... (Score:1)
Fixed that for ya. Those parenthetical compiler errors can be a devil to find without a good debugger.
Re:Built in OS Funny thing is... (Score:2)
Seems YOU are functioning within operating normal parameters...
Re:Built in OS (Score:2)
Reducing Rootkits (Score:2)
Multicore to the Rescue (Score:1)
Re:Multicore to the Rescue (Score:2)
But for the home PC I suppose you're right that this tech has little use. Perhaps if the price is very low and they got a good marketing departement they may sell some of these cards to Joe Sixpack.
I see another race
load antivirus before OS (Score:2)
Isn't that... (Score:4, Informative)
Honestly, I just don't think there's a substitute for OS security. If a company can't stop your OS from being hijacked, there's no reason to think adding more layers of complexity to the system will help anything.
Sony PSP (Score:2)
The firmware in flash needs to be signed. All programs that run from any source (the cd thingy, the memory stick) also need to be signed. The only way to do anything is when clever people find buffer overflow exploits in that kernel. But that still doesn't allow you to have any permanent (in the flash) solution, since the flash needs to be signed. And that, of course, also
Re:load antivirus before OS (Score:2)
No better than a software solution (Score:1)
MS 'demonstrated' (Score:3, Insightful)
Re:MS 'demonstrated' (Score:2)
Shoot first, ask questions later (Score:1)
Re:Shoot first, ask questions later (Score:2)
I predict (Score:2)
I predict:
Re:I predict (Score:1)
Someone will come up with a way to infect the actual card
After all, if you can infect and modify the BIOS, why not this ultra-secure card? I am sure it has some type of non-volatile memory with firmware and the ability to burn updates into it, thus making it possible to be attacked.
Ah, yes.... (Score:1)
This happened to me in 15 minutes when reinstalling Windows for the umpteenth time. Love you MS!
Cool. Psychic Powers! (Score:2)
Re:Cool. Psychic Powers! (Score:1)
Why, Microsoft? RootKit Revealer from SysInternals (Score:3, Insightful)
My guess is that Microsoft's effort is an attempt to create a demand for some future operating system that will be hardened against rootkits.
Re:Why, Microsoft? RootKit Revealer from SysIntern (Score:2)
I belive that the future is now, and this OS... is OS (open source)...
www.freebsd.org
www.gentoo.org
www.opensolaris.org
rootkit free and loving it !
Re:Why, Microsoft? RootKit Revealer from SysIntern (Score:2)
You mean trusted computing? Gee, maybe MS would like to have some excuse for the unpopular idea of requiring all OS's to be signed by a central signing authority and monitored against tampering. Maybe MS is trying the idea out right now on the Xbox 360 as well.
'if' it works it'll just get embeded later (Score:2, Interesting)
Tax payer waste (Score:2)
Build one Linux source image with the kernel locked (no insmod modules). Problem solved. Why are they wasting our tax money?
Enjoy,
Re:Tax payer waste (Score:1)
Because even your proposed kernel could be easily modified (http://www.daemonology.net/bsdiff/ [daemonology.net]).
Because your BIOS could be modified, and such modifications could be undetectable to any OS.
HIBT? Probably. HAND.
Re:Tax payer waste (Score:2)
Because your BIOS could be modified, and such modifications could be undetectable to any OS.
Your right. Then again your mistaken. I can lock the BIOS (see the freebios project). As a bonus from using Linux, it probes the devices on boot (which is why it takes longer). Unlike Windows which saves/checks the registry BIOS/Machine ID everytime it boots. Sample: Take a windows enabled hardisk and b
Sounds like a plan (Score:2)
Will it be legal to remove the rootkit? (Score:4, Insightful)
1) It's already illegal by the DMCA to bypass software "features" you don't want on your system. For example breaking DRM.
2) It's illegal to modify your hardware in ways the bureacrats decreed. For example mod chips for consoles.
3) Trusted computing means your computer hardware will have "features" like HDCP straight off the shelf.
It's becoming more and more like renting hardware that you don't have the property rights to.
So what can you do when you detect that rootkit
Will removing a RIAA, governnent licensed rootkit be criminalized? Because you must have intent to distribute copyrighted materials, otherwise you should have nothing to hide?
Or perhaps it will be that your hardware rootkit detector a remove a Fony rootkit up to 3 times. The same way a region code on a dvd drive can be only changed so many times with the manufacturers in cahoots with content providers.
Windows... (Score:4, Funny)
Windows: It's so insecure, not even DARPA can stop it.
(it's funny... laugh)
Re:Windows... (Score:2)
Who WOULD You Trust to Make the Card? (Score:1)
I, too, would be wary of a government hardware device installed in my own computer. It's all too evident the NSA has its hand in all communications [omninerd.com] already. Would anybody really trust a device that can intercept all data traffic? It's the master backdoor they've always wanted. Then again, who would you trust to manuf
Re:Who WOULD You Trust to Make the Card? (Score:1)
Wilford Brimley. He just has a trusting face....
Computing by Committee (Score:2)
MS style rootkit is detectable (Score:2)
Re:And the goobeldy gook is...... (Score:1)