Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Government-Funded Startup Blasts Rootkits



 By: Ryan Naraine
2006-04-24
Article Rating:starstarstarstarstar / 1


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Can you say Komoku? A startup backed by DARPA, the Navy and the Department of Homeland Security plans to destroy rootkits with a "unique approach" that can burrow into the operating system and sniff out malware's trail.

A startup funded by the U.S. governments Defense Advanced Research Projects Agency is ready to emerge from stealth mode with hardware and software-based technologies to fight the rapid spread of malicious rootkits.

Komoku, of College Park, Md., plans to ship in the summer a beta of Gamma, a new rootkit detection tool that builds on a prototype used by several sensitive U.S. government departments to find operating system abnormalities that may be linked to malicious rootkit activity. Rootkits modify the flow of the kernel to hide the presence of an attack or compromise on a machine. This gives a hacker remote user access to a compromised system while avoiding detection by anti-virus scanners.

The companys Copilot prototype is a high-assurance PCI card capable of monitoring the hosts memory and file system at the hardware level. It is specifically geared toward high-security servers and computers.

Gamma, meanwhile, is a separate, software-only clone of Copilot that will target businesses interested in a low-assurance tool to protect laptops and PCs.

Komoku launched quietly in 2004 with about $2.5 million in funding and rootkit detection contracts from DARPA, the Department of Homeland Security and the U.S. Navy. The company has its roots at the University of Maryland, where computer scientist William Arbaugh worked on what he calls a "unique approach" to finding rootkits.

"Security technologies depend on the correctness of the system theyre actually checking," said Arbaugh, who now serves as president of the outfit, which consists of three full-time and two part-time employees. "If something changes the system at the operating system level, it cant be reliably detected via the OS itself or through applications running on the system," he said. "We have this notion of what the operating system is supposed to look like, and we look for deviations to that. We arent initially looking for the rootkit—we look at the side effects of the infection."

Resource Library:

Komoku has partnered with security vendor Symantec to handle disinfection and restoration after rootkits and other sophisticated forms of malware are detected. Symantecs LiveState product combines with Copilot and Gamma to restore the system to its original state.

James Butler, a renowned rootkit researcher who serves as Komokus chief technology officer, said Gamma will have limited cleanup capabilities because it is software-based and susceptible to direct attack, much like any application running on the operating system.

"Cleanup is a very difficult goal while maintaining a running system. When you find a rootkit, you essentially have several choices. The easiest choice is to halt the system. But, that means that youll lose any evidence that might be in memory. It also means that the services provided by that system are made unavailable," Butler explained.

Another choice, said Butler, is to eliminate the effects of the rootkit, although this can be very difficult because of the complicated nature of an operating system. A third option is to allow the rootkit to remain active while attempting to discern its motives, Butler said, noting that both Gamma and Copilot will allow all three of these choices.

Komokus long-term plan is to have both the hardware and software versions collect forensic data when a compromise is detected. Butler said both products are able to capture hidden malware in memory and send it back to a central management station when the products are running in enterprise mode. Komoku also is exploring potential partnerships with other security companies that have offline malware analysis tools, he said.

Pricing details have not been worked out, but Arbaugh expects to ship Copilot to high-end enterprises with supersensitive data. Gamma, on the other hand, is lower-assurance and aimed at protecting business assets that dont require high-end security protection and businesses that are unable to install hardware.

Arbaugh said Gamma has been built with two modes of operation: an enterprise mode where it communicates with a central server to receive updates and incident reports, and a stand-alone mode where incidents are reported locally. Updates will be available via a subscription service similar to the anti-virus space, he said.

Citing confidentiality issues, Arbaugh declined to discuss the severity of the rootkit threat on government networks. However, he said that during actual Copilot tests, it is "very clear that the government shares the same problems like everyone else."

Copilot was being tested on the Navy networks when news of the Sony DRM (digital rights management) rootkit issue made headlines in November 2005. "That was a zero-day rootkit to us, so we decided to throw it at Copilot as part of the operational tests. We detected the Sony rootkit in all its vectors, in real time," said Butler.

According to statistics from Microsoft, rootkits account for more than 20 percent of all malicious programs removed from Microsoft Windows machines. The stealthy technology has been found in a variety of threats, including spyware, Trojans and DRM.

Komoku at a Glance

Whats the big idea?

To offer hardware and software security at the operating system level to ferret out stealth rootkits

Is there a product?

Komokus first product is a PCI card that detects malicious changes to the operating system; a software-only product is due this summer

Whos in charge?

William Arbaugh, president, and James Butler, CTO; Butler wrote "Rootkits: Subverting the Windows Kernel"; the company has three full-time and two part-time employees

Does Komoku have customers?

Yes, it has contracts with the Navy, Department of Homeland Security and DARPA





  Reader Comments: Government-Funded Startup Blasts Rootkits
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


xr80VӮcV%UȖ\֔ey,UyF(( ئHIyωo&nZ(Ku%LܐH$~ 'I">2 8E |jxΤ>? !ߛ`Z˩:ވz#, }w([Į jGwn=w2 X]~jkGdh9-rt3-u@|ݖ|cXul̀A3EuL_CԿ($fҀ [8#/yy< ۱"˭Uֶg5^q;=:"sz3 wZEؘ*ozc>)C xz`:v8,2踖þɲ>ʏ9h42ۼMٰn5T:Ԫr\ˇJ~/^ߛȹ-Ӟ?7o8FuޅRV5MQ;U0> n0tp;\RrCNes<> i^_ad}+1UJ Z. dz$_S::y\MB^$> xZj9,4E; KHR ])1N,"['lji][W^['wbٚXC ji@e$XYHwAբy|qӾlvoz{MVI3 h+?f'_ZUlxmķx0|`kh2`m8;RZ:{$է)I|S8fIu\Cn&J ݒeL_;D_KŗG)Hk7G ƈ8X@.@ש#04ۯhV=<<䭱JG+Ҕ#Rƒ t$yW˝5>Hr Ca)#p?S%Wi8@r=ش 6,%̛ hJ@{d$e $}ВYtBFͨN}%I FBzBp4]-7+De,,ɺ s5-w>Y?iQw9~j?]wսuS5>@*s6m;4d}t>჎(>hƋMrnLMrӇu4@>+GݺzNnXŞ*Fԇ9[i`IA 6v|scм`y&nAܙ@[3衟#]ѽ:?A2/?>fxsܧP}MrA=39;ݴiǀxt47(.aHd˕N ] cRRPHt"BђF 4  gsX"C"''@@ww$]I+Tbz"ҶBICvn KŔ=*%nqR%a 3ʬ$&vφaZLboD6], S m3-mu{6 z0CO{đaIQңF +?w; *XF0M/Cw)?ǘ[i4&LSTl2u)(f+7k>j7A1EL$km}fBB63 =gƠtNP"'Կ 3r wwT/=҇9 UQR }-zn7MAR?Ty v Bdj/h~W.Y 3EXVHdF!! = \Pȭi;NrB@S*,H@&mdz?Gw LRd0uf6NI :3Xh8E/C4v ei[%ͺ7bumIJۥi]hk%T87Bj^¢ym<2֡X`9HM^>VL"fˣQ4dJ &Ϳ;{8`OͱIG>{S+UVOLXZfFV-iV9ִrX,y|-pX"@7wGR&a+\ڨ`OSi9Ezu@nztӱ; mN#0 ;u M sOѭ,pZU0z q X@XĞ=  Kzn/.,KYkyMٕ.RB|vj [arhfl:6-<ݝvmļZB_@kt{ 7aT5clq-Z3v,˹ sq, EZ"Ӟ0/7uX83[͆OCBE-Hx 3??uPV/O6S? !ܕVR5󈻬3ghZlrK8JREu l{ Qքc'M}XtSyyW>Ѐ!as`Ez . Z H }"T0|*UTˈ`nS@@kSU Փ.ZE^~~ V%Ŵ谢zԘ{}Qː 0gxyd.>3IR-ftheU-UjRAgD+ϏyWE"IԀA_}ό95Fξ(zCW>s@y >{Vv0eE>yLLZ<5}˰"U`}BZ_(ƨOMqѡ,u` tV8f;<@? v: lhCxR `j@$p LM{6baJ)?oZKy4$ H{IMzȮO1)"Vavoqe@\5oص`̌)̨5UV *~ezoR.E׌Lu0ȐNǝGlȡ5Th vϷ h#քY[ў#WX xV IQdS3EtjCW3(SM8^# M "]մRb/_#Fd&T~!\yRflҡ3w9Se>c'ß=a ]o Ul GOpOD7n ,m{D9hb21Ki[2|'@ dkѪ9O'A(՚\2ZP;,giO6Gu"M."8&08zGdDRz+>n ~/I6kVRRXU@V_A ұg /s_5 _.7fnq* 2kmz~L\TPY\܈MP*jIIz,peYbk5b iW&s\x&\_{sƋbo)Q^aTW".)wD<7ϰ3}Nb i˴WՄθā0O?#[&IfYyVum4eX$5}`Gq+$eZU ՂV'LtPpz]Fߋ eRԣ{{k7}3݀ G(w}}4WIP*5]*{ s9q=C H\}PK(,~w9ـo9 |\V* r2RDBZNBql'߾l[DHZ Rٟ:sɖBzI(jT xϰLc V(YŵyAhhqNF\}?؇^?hUeqbsE6 7cyJ~Zg^p t,+?~i7G}e_:kt_?v0yyD߫%a?KKx4W}l눔 J>~~lJNC[ q߲oU=H3 J@$=ĸ}/gvj456|v: 724H4|w;Nq})}ڽ^Sz}ْW's5B n2H#O!zN/ZfS L k;d8)(hdqH/=^q@ښҽn9`LBX5c-IgB A0q4eRxy~ïnUk~! I+U:;<   cJ=!Voh{W/i{mE-bT _RJI$Q#=)#WYYuڽnp l}AǯNd^VZ-[N7S+d$c?]/8݃͟&WVRǭϤ{q@HE \8/g`T1IB88en1~KP .Mu?RoQJh"g8Q;6?m[=PRrPR)&bv(I; ݒ:h<5 2)!Mϓp|Lhk'IZV6X(4%!44QЌObCYF*C' һj\npVPt._xvIa%1 TgKe  KQk i"TH>a')-g+y-)EC^}+ IN,#zSaJf Sz/uOmOwgXmyq=v츃%vd:Gw*b9,_k=huӅ[ey$sm#g#.Ս)A/ֳs9[Rb0x"64Ndywy#KxEıTrc&4aqM1nWe gș馍CLf\vqo]9arJs ނ3Q 6j 2'|Y>]bwP;_xŞYiIU9/r\-"nZZླྀ|W90.=y$/Av} ,D>?Ggo[D:*p&޸<{c Z~‡i4&K-hːuݗ:ʆ!@nJU(X'Цׇ ݟ⁙ Hx3SEguaH_!@"56'wƘRPA~9c['瞍}L;p_O{I{sPUUK"Ŏp1uL9? Lk_:PՃ*([ϻu~Q|q1ad!$Zvxpp,(4Aɛ.k֊W {  66G܂3c וPIdB1Y8nFh,O)j gq9Qm&)1aHgAWAgPu] ;RYn!VYMh`^[*n,g38c:&H(cx;أwiZLsuUf`AŀA7Ti wYRJX,lFɒ+voWHܤJCym"[<vo@jA-/iM 4.*ψ&"YʘDN(OL'2'7Xflws<XHè/ڂ DwIPZP!`@A_~tV,j.Jbk%E @[Nmw%3pǀ$iw" o?U_z /.#'ER/2C10CHD @"!-1o=5w"$MٖT/>\ UŊ!hpLbAg̾vtL [8L/b V4ϓ0DOA@IDiI$-^Җ퓎;LPKQ<ēH`A4O=JB1 a0i7Ag/[m͝PRUI-lKXgJh Lgp8a9qf=4V"Q[W}enKYW"a:\0kgv)Bj y u{1& EXjJU&YEx_n/Bڷ ;[$+v߱RJ]sqUwwwwZ0y󽖱zE%n\mUR ﷖pSRa~uږo_.hVuD/.8.@}P@IlW0UMuhH``w|aK^.0 Y {CKMӇuG)LO'!?M+ ٤$: aA.JC9/bz*n{KR{1_i+R@$\]`^<|w<{O$E{+NV !"A$1DΗ!WAj1xyK{1k:C}Ot >mx+A%bYGi\h /ǧ1|E|ap_i%^[66\Q|L+WzNx4=8 ԂZ,FGAp{Ip0/@@nLn~=z?YRB=_gؒ0/E)_M\=XKy ݒ07m6hn avLۑ/qGԟb_Zs~8G۩ D }<T<WK ፑn x$oI G xu ( X?un~_@;~B[s{l{GP(ڕ-س`I麏HΥx+J?k83v,t.aVc=̬^++T?q_qNVkYӧ=S*i%k=+ WqqOO:|?D+|$^'u^fICVCoUݜC$ (_8r5ܗN=B7{7ĩ}/GT_W>U 伕n_L+h]W2I#.e>ҍLr ֽQkf|dÁo9v/+>zpRO.YO2Qźr\QhqW=] Sg'<3핖Ʌw}yѹ{1 *fy$'%?[ޤW)m,)㊥Z\-!p E_Br/00Hɂצ8%4sh~̼d֦1]^IIͽ=ڶ/h `|F0-c l S(T-~]&Uֿe#{t ޥ$^oJYF+VC|_~?|Mg* c ~?NZTˬkr:$Q3 ƹ'}a",kVD(P2a^DKop.2|p{0KgD|`߱1 נ 8w9z@Q H?Eou7:^o? DŢW\2= !kjb`!M4#|2 8+_^=ˢǏ{eADNtQ+"ݱPVôLE'$&Jjid$F₡tyϹgD<quEMm&^' 0ka &"l\M'q/丱ˋAE&FM`BFPxAҼf40 aS,^4𺨐J11ǜS;1és\: G ]J1xy[Ò+5&L6RE(*Io$TGh'R(M`obTy  #y^Š&Jk&pUTJ;7ޞ6.W@O[jkw,N%ܬTM$ n߮rG܀ӡg1E8a|܉((gg[{'2Cmj|)5,\ X=\πJ*jA4`}"]iR$26ܬZX+(%\z0u_8ZՔV-`{d==vNZ#x5XǜpBOB .xړGF^Gnoy rj-ݳy@-  kPу%ς퀲|\>PP*(w[qb>>-^awv鮦%@,Mx qLi'XC@WݹHm+nA',l6s>Ig+vl"6\%pKp|{Hq -gwqxËG^n/9F.F{| xfV-j%VG0 ,ç0N#9m6a?\Dsa|G,%_[FFV>G6يbvwMur j`(;R3ZNpxu!M.>_!Ƙ&Q@O@L%F J 4w\CP |o;Wp+P~ЪVwn@kb^;ҁ1+qܒ:i|ń>=N &}& )<]Сܛ r@JoIg8|<|6ڄykiDž$Y cGx "=4uӻhzxX2dW<:s&c#ܛE@$nOQ|0 !'@vQ]Q JuLy(a#.%F쾏Ic>r*}? |9[CG)W9Ĕ#X֨n>^_Cae1 `8*gj9T KL 2@: xE 7>|?_zYL0%#a kE$063ƞ3㇬ 1Ř!&"mXsS YDeb @Ԕ0w(V$!Ѕ8i,)@"!9͉ kO'c 3úޝ/#~|aP8\  +z+U'I]U@)p!xW`ǪZJDWv'x1n?.4!W)WPh r#cvFCd4`frOuv9WW_Y4uEzNz~{INZG/3?gCyF?(d^f%e\]f_O7CtAt3U}\W_\gO诟AA֗A_sV9s>>goʁ~o2ڿh&N272q S*R~A/2ȋ+OY射<(? yVV<^`]fkWx.rf e{%;[?[NBX\jzr+^0Z1nvd ba/ KPe^ٛT#GP78%Y}MNJ 4tk 7b[yDYAI{R}tEOI>t𞫫qLw<ߔ[nNJ>s\ȜH8VidN@B(s#h0 .Ñp[{剹?|k2xwi0> ۓ{ opmঠϻ]OI-Ak0.: 7W}.nmG;yh#ֽ2b;w K췡\2TVl<-t&j\eYȣf(+@J~t p8ě[}FFއ^V_p3jlc}k~nW;u}ٸ\5>C{>'K j*85ߜ:RN ?|Y&ƀY8'}p)NBhعkj@j<} m̹qoRL ;J墦 V˕R;qO;F$-j(&0#&T$`rXr(RB4|O۴W)Y7 yVi8an%[C DK(xxI=*Yۼx0,{|yN ڎy@7 J,{3ЫD@.^sϝm|LڸAÆ߄`-kD2yhp䓿 t8_li;Ìs,!1hlգ{wh9ĉiSr O?g)b|337S7 >oє^\CNG*˗ X֭2c/|sӸ [2FdX jXJr h;9_ɾ\$ǖ@}Iߜ\=u{̪TD}GQ!rE:w]n1|,0Gq1i!\p7707.^kR0E<.I ӮS-E;>Qㄾhkоx^i4HN,'cB诿aXkt JV7Bg#1Kgwԕ:~%.$x|v@-\& Ƕp1og[=Ǚېf]ݍ:S('/Հ`;_'4}v_0csv͖ԡ:D@z!_Fͻ!o;4mFK<#FOb\WnBaIgLi؍lxc 6{Nz> !"q0q?K*_yl xdDأ_BDOv֤-JK b?94vL9 H\}T.q 5" "HH "s{B|%IiVߞsQH 7@8}Ǧ a4`7g9ao5RFXk;nLZԝ:6Zd9\O>1q7N@U}ŒC 1,{ԟ#1P Yݒ)^Ռ[#|FWMPL\>O=j"6pΖln4szn%0)% KBlPՍFoUSeOTx/ē_| 3৯`gʚm೤c"5("vy9mKd7-YoˊL3t#mG)Jqk3yHR}D񟄷zH, 7AQ^+yJ>? T@|- %Vj(tI cS x1p.ڍL~%2'c:h0Ŭ‘Ѷz SO~n\O(Co\k<>cipΧ^pgUvy* *>`H6A1^wyKu'FnOvGD g>6'كl4p}́ XsCQ%7` ={[5HHJ B ϱɮx*hlg`wDl .3*/YF hWa!*e76K((Xp^'Atm9;n[r"#<[^ҵlAtz-E{Ofuݍ2JWtmk%!ҮT)V"ʥ.Sܟ=Ca҃6 ',{ QFbFA8u vKѪ V7"60ޏq[Pl@xS b \bգvE9b릍tD]hT[_ !*ʢSM 9/ߵSymE]Y>;Ѝ5ϰ|3'5cgb@xVOm{~kC'> ;ثy 2^9FBLj3mf^^kti( aaXf cJ\g'ۂ~Ӎ+2GS<"Y4/L_ x%L+DvdzU Z-^chX$֬"K깘#gyQs3v=g4w~X0~v19&Y>6s3a=d>]x O!(f" χ"@Ă+"e}q$Y":0X+n:' wX{yB(Ϻ}i_|9!3FUώ7z_[a}BeFBl4*7ъE:?CK7nyI˦V)ZNJ`)XFپuK+_1dF-<#@隣J"4&o(FҢ̰Ge=9TV01{6JܖmJr&s.# MW\e\)ҦG(5c>tgLt )2)v}ml-c6C-{f&)