DARPA Funded Startup to 'Bird-Dog' Rootkits 124
Ski_Bird writes "DARPA is funding a startup the supposedly has a unique approach to detect rootkits. The startup, Komoku, is ready to 'emerge from stealth mode with hardware and software-based technologies to fight the rapid spread of malicious rootkits.' They have a PCI card that doesn't necessarily determine that a rootkit is installed, only that the O/S has changed dramatically enough to warrant investigation. Microsoft, however, demonstrated a rootkit running in a virtual machine outside of the user's O/S workspace that made detection impossible."
Government Rootkit (Score:2, Insightful)
Built in OS (Score:4, Insightful)
Re:Hardware can't be fooled like the operating sys (Score:5, Insightful)
I don't know, a couple hundred K? You can get a stripped down Java VM onto a floppy disk (don't laugh! It was originally designed to be an embedded systems language) and RootkitOS could cut that down even farther, since it could afford to cut out all the features that the rootkit wouldn't need.
What does a rootkit need anyhow? One low level socket library for phoning the mothership or botnet, cloaking ability, disk i/o, and then the ability to let the overwhelming majority of host OS operations to pass through unimpeded? Just make it so that the cloaked memory/hard drive space is just not even addressable within the virtual machine. Everything else can be permitted.
MS 'demonstrated' (Score:3, Insightful)
Re:Hardware can't be fooled like the operating sys (Score:4, Insightful)
Why, Microsoft? RootKit Revealer from SysInternals (Score:3, Insightful)
My guess is that Microsoft's effort is an attempt to create a demand for some future operating system that will be hardened against rootkits.
Will it be legal to remove the rootkit? (Score:4, Insightful)
1) It's already illegal by the DMCA to bypass software "features" you don't want on your system. For example breaking DRM.
2) It's illegal to modify your hardware in ways the bureacrats decreed. For example mod chips for consoles.
3) Trusted computing means your computer hardware will have "features" like HDCP straight off the shelf.
It's becoming more and more like renting hardware that you don't have the property rights to.
So what can you do when you detect that rootkit
Will removing a RIAA, governnent licensed rootkit be criminalized? Because you must have intent to distribute copyrighted materials, otherwise you should have nothing to hide?
Or perhaps it will be that your hardware rootkit detector a remove a Fony rootkit up to 3 times. The same way a region code on a dvd drive can be only changed so many times with the manufacturers in cahoots with content providers.