Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

DARPA Funded Startup to 'Bird-Dog' Rootkits 124

Posted by ScuttleMonkey
from the tails-of-woe dept.
Ski_Bird writes "DARPA is funding a startup the supposedly has a unique approach to detect rootkits. The startup, Komoku, is ready to 'emerge from stealth mode with hardware and software-based technologies to fight the rapid spread of malicious rootkits.' They have a PCI card that doesn't necessarily determine that a rootkit is installed, only that the O/S has changed dramatically enough to warrant investigation. Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible."
This discussion has been archived. No new comments can be posted.

DARPA Funded Startup to 'Bird-Dog' Rootkits

Comments Filter:
  • The story keeps coming up that Windows, or Linux could be hoisted up into a virtual machine and antivirus software can never detect it - but has anyone thought of the payload size needed to implement an entire virtual machine? It will be interesting to see what type of software comes out of this research since this is using hardware to detect changes at the bus level - that way the rootkit or virus cannot use its trickery to hide itself.
    • by Anonymous Coward on Monday April 24, 2006 @08:42PM (#15194130)
      I'm more interested in what Sony has to say about this development.
    • by patio11 (857072) on Monday April 24, 2006 @09:00PM (#15194200)
      [quote]The story keeps coming up that Windows, or Linux could be hoisted up into a virtual machine and antivirus software can never detect it - but has anyone thought of the payload size needed to implement an entire virtual machine?[/quote]

      I don't know, a couple hundred K? You can get a stripped down Java VM onto a floppy disk (don't laugh! It was originally designed to be an embedded systems language) and RootkitOS could cut that down even farther, since it could afford to cut out all the features that the rootkit wouldn't need.

      What does a rootkit need anyhow? One low level socket library for phoning the mothership or botnet, cloaking ability, disk i/o, and then the ability to let the overwhelming majority of host OS operations to pass through unimpeded? Just make it so that the cloaked memory/hard drive space is just not even addressable within the virtual machine. Everything else can be permitted.

      • by patio11 (857072) on Monday April 24, 2006 @09:05PM (#15194215)
        Shoot, I lied. Forget about a couple hundred K. If you buy that Java is in any way representative of the level of complexity this would require, you can likely do it in a couple dozen K. Quick Google search turned up a Java VM with a memory footprint of 10k [sourceforge.net].
      • Um these stories indicate that *Windows* would be running in this VM. Please show me a Virtual Machine that can run Windows, or Linux so good that you don't even know its there - and is only a few hundred KB. Yes we all know there are all kinds of virtual machines that could run in a very small amount of space. I think the B.A.S.I.C. VM on my Commodore 64 was quite small - lets see that run Linux, or Windows.
        • Um..well the BIOS on most PC's is only several 100KB and contains all that is needed for the basic operation of a PC.

          So it's only logical to conclude that a VM wouldn't neciserily need to be much larger then this. Especialy if it was running as a layer directly above the BIOS proxying request from the OS to the system and then wrapping up instructions where the VM needs to apply it's own logic.

          This type of VM wouldn't need to worry about schedualing or the more compex issues that come of running multiple os
        • > Please show me a Virtual Machine that can run Windows, or Linux so good that you don't even know its there.

          qemu [bellard.free.fr]. To average Joe Windows User, it's good enough. It's slower than native, but spyware, IE, etc. slow down Windows anyway.
      • Doesn't all of this involve redoing the filesystem and moving the Windows partition into a file on the rootkit OS's partition? And wouldn't that basically take hours of heavy disk work? That seems harder to pull off on a lot of computers, either because they're being used, or being checked on from the network for tasks overnight?
      • i finally have a reason to go into the store and ask for XXL condoms, they say they can protect against 99% of the viruses if used properly, i think i'm going to double up, i didn't understand the pregnancy part though, but hey, i dont mind as long as i'm protected.

        only one question has come to mind, is that the directions on the panflet are wrong, i can't find the device its showing me, could it be the end of a cat5? :/
      • I don't know, a couple hundred K? You can get a stripped down Java VM onto a floppy disk

        It's beyond me how you ended with Java as an example of your virtual machine.

        There's a categorical difference between a virtual machine that can run a set of bytecodes (Flash's virtual machine, Java's virtual machine, the JavaScript virtual machines in browsers /yes it's a VM/, the CLR of dot NET etc.)

        -- and --

        a virtual machine that emulates an independent PC hardware unit in a sandbox (with all of the video, sounds, I/O
    • I doubt `HOIST.JPG.EXE (82MB)' is going to come in as an attachment. More likely a more mundane rootkit is first loaded by the malware, downloads this in the background, gets it all setup on the hard drive, then forces a `STOP Error'. At that point the original rootkit could be deleted and no trace of the infection would remain.

      That said, this product seems interesting for its hardware approach. I wonder what kind of performance hit will result from installing this system.

      Incidentally, the installer for
    • "...has anyone thought of the payload size needed to implement an entire virtual machine?"

      Why does the payload size matter? A worm/virus can be quite tiny to infect the host machine - and only then does it need to download the rest of its bits.
    • has anyone thought of the payload size needed to implement an entire virtual machine?

      Intel started shipping desktop CPUs with virtualization technology last year. The virus doesn't need to implement the entire virtual machine.

    • The virus using a virtual machine would probably compromise existing virtual machine servers, and could script the copy of an existing virtual machine. At least thats what occurs to me off the top of my head. You CAN write data to the virtual HDD of a virtual machine while it's not loaded, usually. So it just writes itself into the boot sector or executable area of a virtual machine, and voila. Payload size hasnt dramatically increased.
    • but has anyone thought of the payload size needed to implement an entire virtual machine?

      Pretty big; around 130MB, if I recall (I may not; it's been a while). But don't worry, .NET comes right on your windows CD lately. Presumably it wouldn't take much to launch everything in a slightly modified version.

      In all seriousness, I don't think a full virtual machine would have to be implemented. All along, viruses have worked by just patching what is required to setup a modified environment.

  • emerge? (Score:5, Funny)

    by Hack Jandy (781503) on Monday April 24, 2006 @08:47PM (#15194148) Homepage
    emerge from stealth mode

    For some reason I can't get this to work. I read the man pages but it seems like emerge doesn't have a stealth mode? Let me know if I am missing something here before i go back to Ubuntu.
    • Re:emerge? (Score:1, Funny)

      by Godji (957148)
      Oh cut it out, both stealth and mode are obviously package.mask-ed, ye bloody n00b!!! RTFM! Go back to whatever BSD you came from!

      l337 haxx0r hates n00bz!!!

      P.S. The next time you post attach 'emerge --info'.
      • Flamebait?

        C'mon. It's funny. Laugh. And maybe visit a Gentoo forum (they're funny too!).

        (Not to knock Gentoo -- it's a decent distro. But some of the posts on the forums are, shall we say, a bit over the top.)
        • Think of it as self-irony, coming from the mouth (alright, coming from the keyboard) of a devoted Gentoo user. It's a little tasteless, I admit, but considering the amount of sleep I've been getting lately relative to normal geeks, it's one hell of a good joke.
    • Ah, another emerge joke [slashdot.org].

      Mod this redundant, because it is.
  • Government Rootkit (Score:2, Insightful)

    by Anonymous Coward
    Funded by DARPA? Maybe that PCI card is a rootkit from the government itself! Have you given that a thought?
    • I tried, but then the police came knocking at my door and told me that thoughts like that helped the terrorists win. If I used a non-DARPA approved PCI card, then I could steal IP and help fund al-Qaeda.
    • "Funded by DARPA? Maybe that PCI card is a rootkit from the government itself! Have you given that a thought?"

      No problem, just pop in another non-DARPA-funded-rootkit-detecting PCI card!
    • Just last week I was (re)wondering whether or not all our provided/purchased cable-modems are under a national security order to be "backdoorable". Hell, the telcos have been in bed with the government for maybe all of their existence, at least the past 20 years, I suppose.

      Then, I started pondering... "Hmmm... if Slashdot itself is a government DARPA project....to weed out targettable, unloyal, unsavor engineers and geeks..."
    • ...were originally funded by DARPA. Quick, unplug the network cable! Don't you realize They are controlling your mind via subliminal messages in Google Ads???
  • I'm a little curious as to how the card is going to notify the user the system may have been compromised. If it involves the host OS in any way (dialog box) it could be bypassed by the rootkit. Maybe an LED on the card will switch from green to red? How often are you going to remember to check it?
    • I'm a little curious as to how the card is going to notify the user the system may have been compromised. If it involves the host OS in any way (dialog box) it could be bypassed by the rootkit. Maybe an LED on the card will switch from green to red? How often are you going to remember to check it?

      Your computer is beeping. Someone must have installed a bomb in it. Quick call the cops. Then again.... In all seriousness beeping would be the best way to go especially since it will pretty much piss off a

    • This might not sound very helpful to the never reboot crowd, but I sure wouldn't mind a system halt on reboot if my system was compromised.
    • by Lead Butthead (321013) on Monday April 24, 2006 @09:06PM (#15194218) Journal
      I'm a little curious as to how the card is going to notify the user the system may have been compromised. If it involves the host OS in any way (dialog box) it could be bypassed by the rootkit. Maybe an LED on the card will switch from green to red? How often are you going to remember to check it?
      A lot of good it will do if it's triggered everytime Microsoft releases a "security update."
    • Re:Notification (Score:5, Interesting)

      by MBCook (132727) <foobarsoft@foobarsoft.com> on Monday April 24, 2006 @09:19PM (#15194269) Homepage
      Here are the things I can think of and the pros/cons:
      • Blink a LED - Cheap, but requires looking at a LED (easy in a server environment maybe, but not for 1000 corporate desktops).
      • Sound an Alarm - Noticeable, but loud and annoying, especially if false alarms exist more often than "almost never".
      • Network - Give it a network interface (sort of like pre-boot management interfaces on expensive servers), but it could easily notify people anywhere this way. Expensive though, needs network ports.
      • Wireless - Some kind of wireless response (so you walk by it with a little scanner and it says clean or compromised) not cheap, possibly short range, requires scanner.
      • Software - Easiest, but could be compromised unless it used the BIOS to send the message out somehow during boot.
      • Other - Things like the voodoo pass-though (mentioned in another reply), causing the keyboard LEDs to flash, and other such things. Tend to be kind of hokey.
    • How hard would it be for the PCI card to make a screen write that simply put up a dialog screen indicating an event had happened.

      More likely though, it would probably write the event over the network to a monitoring server. After all the PCI card is designed for high-availabilty and secure solutions, so it wouldn't suprise me if it required a network connection.
    • VGA/DVI+keyboard passthrough connector would allow a notification to come up without interfering with or being detectable by the OS
    • Hardware interupt, like the keyboard thing mentioned above, could be implimented in a way such that the OS cannot do anything about it. That would be the easiest way.
  • Built in OS (Score:4, Insightful)

    by Joebert (946227) on Monday April 24, 2006 @08:59PM (#15194193) Homepage
    You know, all this stuff I've read about rootkits lately could make a hell of an argument for anyone wanting to get their Operating System dug deep into new computers being sold if you ask me.
    • Re:Built in OS (Score:4, Interesting)

      by jmv (93421) on Monday April 24, 2006 @09:39PM (#15194323) Homepage
      Operating System dug deep into new computers being sold

      You mean having all your OS buffer overflows built in the hardware?
    • They'll be built in Shenzen or Venezuela or Czechoslovakia or maybe someplace where China has DEEP ties.

      They US government (via some CIA (or other deep-cover/black-ops (so black that gravity and light and even THOUGHTS can't escape) org) front company will buy them in bulk, or encourage their sales into the US market (since the average user user/civilian/serf/subject is non-geek and won't even be SUSPICIOUS about such matters...).

      Then, the US will have not only backbone, but capillary access to the Internet
      • They US government (via some CIA (or other deep-cover/black-ops (so black that gravity and light and even THOUGHTS can't escape) org) front company will buy them in bulk, or encourage their sales into the US market (since the average user user/civilian/serf/subject is non-geek and won't even be SUSPICIOUS about such matters...)).

        Fixed that for ya. Those parenthetical compiler errors can be a devil to find without a good debugger.

    • Seriously though, there is an enormous amount of people who only use their computers to browse the web, IM, send mail and possibly edit the occasional document. I don't think that it would be unfeasible to implement an operating system and application programs in VHDL and burn it into an ASIC for those people. That way, they would definitely be safe from all kinds of malware, with the slight inconvenience of being unable to install new programs.
  • It's going to take a combination of efforts similar to this and advanced heuristics to reduce the threat of rootkits. Solutions like Gamma will need eat a lot of R&D money as they struggle to counter holes that rootkits exploit. It's nice to see DARPA funding a project like this.
  • When we get up to 16 core cpus, we could start dedicating one core entirely to one virtual detection core, making this hardware useless. Seeing as how this would be possible within the next 5 years, this hardware has already failed.
    • Not necessary: It's much easier to plug an PCI card in an older PC than it is to plug a multicore Processor in a PII socket. There are a lot of situations where it's too risky to replace a working computer by a new one. Such a card could provide some additional protection in such situations.
      But for the home PC I suppose you're right that this tech has little use. Perhaps if the price is very low and they got a good marketing departement they may sell some of these cards to Joe Sixpack.

      I see another race
  • The best solution would be to have system boot into an antimalware system before the OS itself. This software could be signed with multiple public keys embedded in the firmware to prevent it from being co-opted by a rootkit. (And yes, you'd also need security to prevent the firmware from being overwritten by a rootkit.) This software would then scan the kernel and first load components (critical device drivers, etc) of the kernel, along with its own in-OS software, for known threats and would alert the u
    • Isn't that... (Score:4, Informative)

      by Aurisor (932566) on Monday April 24, 2006 @09:16PM (#15194258) Homepage
      Isn't that basically what "trusted computing" aims to accomplish?

      Honestly, I just don't think there's a substitute for OS security. If a company can't stop your OS from being hijacked, there's no reason to think adding more layers of complexity to the system will help anything.
      • it sure is. This is actually exactly how the Sony PSP works, and it really stinks for trying to get homemade software to run on it.

        The firmware in flash needs to be signed. All programs that run from any source (the cd thingy, the memory stick) also need to be signed. The only way to do anything is when clever people find buffer overflow exploits in that kernel. But that still doesn't allow you to have any permanent (in the flash) solution, since the flash needs to be signed. And that, of course, also
    • Congratulations. You've just invented Palladium.
  • This reminds me of the old copy2pc ISA option board you could plug in way back in the day. It didn't take long before the whole card was replaced by an even better software-only solution. This "bird-dog" card seems to be a step backwards to the old hardware cards before the systems and software were powerful enough to get the job done. I imagine it will take about a day or so for numerous good rootkits to be written to sneak right past it natively.
  • MS 'demonstrated' (Score:3, Insightful)

    by roman_mir (125474) on Monday April 24, 2006 @09:16PM (#15194262) Homepage Journal
    Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible. - that's a nice political twist for saying that the MS OS was 'had' by a smart rootkit :)
    • Actually, on par with /. summaries, the summary sucks. Now, I'm not saying the linked site isn't somewhat at fault, having stuck headlines for other stories almost at random throughout the linked story, but I didn't notice where the article stated that MS subverted the Komoku hardware device by doing some virtual machine trick. I did see a link to that VM article, but that link appeared to be randomly inserted into the Komoku article. It was pointed out that the PCI device was for high security machines,
  • If DARPA (since they're a DEFENSE agency) would shoot 2 or 3 of the contributors to rootkit.com's website, the rest of us geeks might be able to focus on providing solutions to business problems. Oh, wait... ...that'd be so freaking boring... ...nevermind
  • I predict:

    • Malware that will infect the tool/driver used to configure this card and disable the protection.
    • Malware that will employ evasion techniques to prevent the card from detecting them (and as with traditional IDS evasion methods, they will be very effective and bad guys will implement them relatively easily).
    • The card will be overpriced, and will not meet the commercial success its original developers hoped.
    • You forgot prediction number 4:
      Someone will come up with a way to infect the actual card
      After all, if you can infect and modify the BIOS, why not this ultra-secure card? I am sure it has some type of non-volatile memory with firmware and the ability to burn updates into it, thus making it possible to be attacked.
  • Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible.

    This happened to me in 15 minutes when reinstalling Windows for the umpteenth time. Love you MS!

  • While waiting to determine why Microsoft is going to such trouble to advertise [eweek.com] the insecurity [eweek.com] of its present operating systems, you can use the free RootKit Revealer [sysinternals.com] from SysInternals.

    My guess is that Microsoft's effort is an attempt to create a demand for some future operating system that will be hardened against rootkits.
    • "My guess is that Microsoft's effort is an attempt to create a demand for some future operating system that will be hardened against rootkits."

      I belive that the future is now, and this OS... is OS (open source)...

      www.freebsd.org
      www.gentoo.org
      www.opensolaris.org

      rootkit free and loving it !
    • My guess is that Microsoft's effort is an attempt to create a demand for some future operating system that will be hardened against rootkits.

      You mean trusted computing? Gee, maybe MS would like to have some excuse for the unpopular idea of requiring all OS's to be signed by a central signing authority and monitored against tampering. Maybe MS is trying the idea out right now on the Xbox 360 as well.
  • by Anonymous Coward
    If this card works, then it would just get embeded in the mobo later anyway, but its a good start to stopping rootkits, other than not being an idiot when useing a computer. I have a better idea though...ms should just fix windows oh sorry thats a 'good' idea. The issue is that no matter what plans are put into action someone will find a way to do what they want, its that simple. Untill programmers (myself included) stop being lazy and companies stop demanding products to be finished in a hurry with low
  • a new rootkit detection tool that builds on a prototype used by several sensitive U.S. government departments to find operating system abnormalities that may be linked to malicious rootkit activity.

    Build one Linux source image with the kernel locked (no insmod modules). Problem solved. Why are they wasting our tax money?

    Enjoy,
    • ...

      Because even your proposed kernel could be easily modified (http://www.daemonology.net/bsdiff/ [daemonology.net]).

      Because your BIOS could be modified, and such modifications could be undetectable to any OS.

      HIBT? Probably. HAND.

      • Because even your proposed kernel could be easily modified (http://www.daemonology.net/bsdiff/ [daemonology.net]).

        Because your BIOS could be modified, and such modifications could be undetectable to any OS.


        Your right. Then again your mistaken. I can lock the BIOS (see the freebios project). As a bonus from using Linux, it probes the devices on boot (which is why it takes longer). Unlike Windows which saves/checks the registry BIOS/Machine ID everytime it boots. Sample: Take a windows enabled hardisk and b
  • Create a problem that doesn't exist to pimp your own Treacherous Computing initiative.
  • by beoswulf (940729) on Monday April 24, 2006 @10:55PM (#15194545)
    Tinfoil hat time but:
    1) It's already illegal by the DMCA to bypass software "features" you don't want on your system. For example breaking DRM.

    2) It's illegal to modify your hardware in ways the bureacrats decreed. For example mod chips for consoles.

    3) Trusted computing means your computer hardware will have "features" like HDCP straight off the shelf.

    It's becoming more and more like renting hardware that you don't have the property rights to.

    So what can you do when you detect that rootkit

    Will removing a RIAA, governnent licensed rootkit be criminalized? Because you must have intent to distribute copyrighted materials, otherwise you should have nothing to hide?

    Or perhaps it will be that your hardware rootkit detector a remove a Fony rootkit up to 3 times. The same way a region code on a dvd drive can be only changed so many times with the manufacturers in cahoots with content providers. /tries to remove tin-foil hat but gets shocked by hat's user protection "feature."
  • Windows... (Score:4, Funny)

    by XMilkProject (935232) on Monday April 24, 2006 @10:57PM (#15194551) Homepage
    Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible.

    Windows: It's so insecure, not even DARPA can stop it.

    (it's funny... laugh)
    • I think this clearly explains a need for a virtualization solution from their side. If MS Virtualizer is running, then, barring exploits, it won't be possible for malware to run its code at hypervisor level.
  • OmniNerd has an article describing how rootkits function [omninerd.com]. Most of you are already familiar with them, but the underpinnings as to why software solutions will always fail are quite clear.

    I, too, would be wary of a government hardware device installed in my own computer. It's all too evident the NSA has its hand in all communications [omninerd.com] already. Would anybody really trust a device that can intercept all data traffic? It's the master backdoor they've always wanted. Then again, who would you trust to manuf
  • I wonder if, in the future, computers will have multiple unique, separate and heterogenious operating systems which communicate through some type of decision protocol/bus. The idea of an external HT spec and the Opteron socketted FPGA make the idea of having different hardware/OS's that make decisions by committee sound theoretically feasable. If anyone has ever seen Neon Genesis: Evangelion, the idea reminds me of the 3 supercomputer minds used to make decisions. And hopefully, should a very deep attack
  • Sorry, but the post is wrong. The preposed rootkit by MS, and indeed every VM-based rootkit under x86 until virtualization support becomes more of a reality will be detectable. Basically, there are many instructions and data structures that are required by the OS that the architecture never anticipated needing to deal with two of them, for instance the interrupt descriptor table, or the global descriptor table.

"The identical is equal to itself, since it is different." -- Franco Spisani

Working...