DHS to help defend networks against the newest threats

 

Connecting state and local government leaders

A new worm began making the rounds recently on the AOL Instant Messenger network, installing an adware bundle on compromised computers.

A new worm began making the rounds recently on the AOL Instant Messenger network, installing an adware bundle on compromised computers.But victims and antivirus products that focused on the adware may have missed a potentially more serious threat, said security researcher Chris Boyd of FaceTime Communications Inc. of Foster City, Calif.'They probably completely missed the rootkit component,' he said.The rootkit buries itself in the operating system, modifying the kernel to hide its presence and protect itself in order to keep the infected PC vulnerable to the attacker.'In many ways, rootkits do the same things Trojan horses do,' Boyd said. But while Trojan horses are visible programs masquerading as benign software, 'the thing about a rootkit is that it doesn't want you to know it's there.'In fact, rootkits can be so difficult to de- tect that the Homeland Security Department is spending about $1 million to help develop a tool that promises to find and eliminate them.'This technology is attractive because it could be easily commercialized to produce one more level of assurance' on servers and PCs, said Douglas Maughan, cybersecurity program manager at DHS' Homeland Security Advanced Research Projects Agency.Agency security pros should take note.HSARPA turned to Komoku Inc., a small start-up founded by University of Maryland computer science professor Bill Arbaugh. 'We have taken some research from the university that deals with rootkits,' said Arbaugh. 'We came up with a way to determine whether the operating system has been modified with a rootkit. HSARPA liked that and asked us to turn it into a product.'Komoku is a six-person operation, with half of its manpower at company headquarters in College Park, Md., and the other three in a San Francisco Bay Area office. The small firm teamed with Symantec Corp. of Cupertino, Calif., for the HSARPA project. Symantec provides malware removal and restoration software for the tool.'We're in the preproduct stage,' Arbaugh said. A prototype is currently in testing at an undisclosed government site. 'Our hope is that we'll be ready a year from now for product sales. We're pushing things aggressively.'Komoku got $600,000 from HSARPA this summer to develop its Copilot monitoring tool for a year, and will receive a similar amount for a second year of testing. The program is one of 17 funded as a result of a 2004 HSARPA solicitation for cybersecurity projects.'We will spend about $13 million' on the projects, Maughan said. 'Some of them are 12-month projects, some are 36 months.'HSARPA is the DHS Science and Technology Directorate's industry research and development program. It helps fulfill the call in the National Strategy to Defend Cyberspace for more robust commercial and academic R&D programs. The money goes to commercial enterprises for product development and testing. The products are expected to have broad commercial applicability rather than be government-specific.'We view the end user to be industry,' because the private sector owns most of the critical infrastructure DHS is trying to protect, Maughan said.HSARPA had an $18 million budget for fiscal 2005, and $16.7 million was ap- proved in October for 2006.The Komoku project caught HSARPA's eye because rootkits, originally developed to get 'root' or administrator privileges on Unix boxes, are becoming more common for widely deployed Microsoft Windows systems. Because they alter the operating system, detection tools running under the infected OS cannot be trusted to find them. Rootkits can turn the tools off, hide from them, or simply convince the tool it is not the malware being sought'like a Jedi clouding the mind of an imperial storm trooper.Arbaugh began his research on rootkit detection about five years ago in the computer science department.The tool he came up with checks the operating system to see that certain constants in the OS remain unchanged from scan to scan, and also compares ranges of values from different areas of the OS. These changes not only can help detect a hidden rootkit, but also help guard against random system failures.Copilot works by understanding the operating system rather than the rootkit. As Arbaugh explains it, the Secret Service finds counterfeits by studying real $100 bills, not every counterfeit bill.Making this tool independent of the OS is important, so Komoku has developed Copilot in hardware. It resides on a PCI card for desktop PCs and servers and can scan the system in near-real time. There is also a software version, which probably will not provide the same level of assurance but which will cost less.But running from an add-in card improves the tool's performance as well as security.'The hardware version doesn't take any cycles from the CPU,' Arbaugh said. 'All we do is take some bandwidth from the bus.'But this still can result in a 3 or 4 percent decrease in performance, which on a Web server could be noticeable. Arbaugh said he hopes to improve that efficiency as the product is developed.Once a rootkit is detected, cleaning up an infected computer remains difficult. It has to be shut down and reformatted or restored from a back-up disk. Symantec is going to help automate this process.'We're providing the rapid rebuilding,' said Brian Witten, Symantec's director of government research.Symantec's LiveState family of restoration products will be incorporated in Copilot. LiveState Recovery returns a computer to a trusted state, and LiveState Delivery can centralize provisioning, configuration and updating of workstations.HSARPA also hopes Symantec's customer base will help Komoku when Copilot is ready for the market. After all, Arbaugh's background is academic, not business.'There is a huge difference between the lab and the field,' he said. The field is an uncontrolled environment with an almost infinite number of hardware-software permutations that must be dealt with. 'The only way you can test that is to try it on boxes and see if it works.'If it works, HSARPA hopes Symantec will help shepherd Copilot to customers. 'In this case, Symantec is a very good partner for the Komoku guys,' Maughan said.
Research into 'rootkit' removal could provide an effective tool against malware

















Based in university research

































Rooting out a rootkit











X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.