DARPA Funded Startup to 'Bird-Dog' Rootkits

Ski_Bird writes "DARPA is funding a startup the supposedly has a unique approach to detect rootkits. The startup, Komoku, is ready to 'emerge from stealth mode with hardware and software-based technologies to fight the rapid spread of malicious rootkits.' They have a PCI card that doesn't necessarily determine that a rootkit is installed, only that the O/S has changed dramatically enough to warrant investigation. Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible."

Government Rootkit

[Anonymous Coward]

Funded by DARPA? Maybe that PCI card is a rootkit from the government itself! Have you given that a thought?

Built in OS

[Joebert]

You know, all this stuff I've read about rootkits lately could make a hell of an argument for anyone wanting to get their Operating System dug deep into new computers being sold if you ask me.

Re:Hardware can't be fooled like the operating sys

[patio11]

[quote]The story keeps coming up that Windows, or Linux could be hoisted up into a virtual machine and antivirus software can never detect it - but has anyone thought of the payload size needed to implement an entire virtual machine?[/quote]

I don't know, a couple hundred K? You can get a stripped down Java VM onto a floppy disk (don't laugh! It was originally designed to be an embedded systems language) and RootkitOS could cut that down even farther, since it could afford to cut out all the features that the rootkit wouldn't need.

What does a rootkit need anyhow? One low level socket library for phoning the mothership or botnet, cloaking ability, disk i/o, and then the ability to let the overwhelming majority of host OS operations to pass through unimpeded? Just make it so that the cloaked memory/hard drive space is just not even addressable within the virtual machine. Everything else can be permitted.

MS 'demonstrated'

[roman_mir]

Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible. - that's a nice political twist for saying that the MS OS was 'had' by a smart rootkit :)

Re:Hardware can't be fooled like the operating sys

[techno-vampire]

S see no reason a Windows rootkit detector couldn't be written to run under Linux from a bootable CD. Then, you don't have to remove the hard drive. Not sure if it's proof against a rogue-flashed BIOS, but it should work against most of them.

Why, Microsoft? RootKit Revealer from SysInternals

[Futurepower(R)]

While waiting to determine why Microsoft is going to such trouble to advertise [eweek.com] the insecurity [eweek.com] of its present operating systems, you can use the free RootKit Revealer [sysinternals.com] from SysInternals.

My guess is that Microsoft's effort is an attempt to create a demand for some future operating system that will be hardened against rootkits.

Will it be legal to remove the rootkit?

[beoswulf]

Tinfoil hat time but:
1) It's already illegal by the DMCA to bypass software "features" you don't want on your system. For example breaking DRM.

2) It's illegal to modify your hardware in ways the bureacrats decreed. For example mod chips for consoles.

3) Trusted computing means your computer hardware will have "features" like HDCP straight off the shelf.

It's becoming more and more like renting hardware that you don't have the property rights to.

So what can you do when you detect that rootkit

Will removing a RIAA, governnent licensed rootkit be criminalized? Because you must have intent to distribute copyrighted materials, otherwise you should have nothing to hide?

Or perhaps it will be that your hardware rootkit detector a remove a Fony rootkit up to 3 times. The same way a region code on a dvd drive can be only changed so many times with the manufacturers in cahoots with content providers. /tries to remove tin-foil hat but gets shocked by hat's user protection "feature."