DHS to help defend networks against the newest threats

Research into 'rootkit' removal could provide an effective tool against malware

A new worm began making the rounds recently on the AOL Instant Messenger network, installing an adware bundle on compromised computers.

But victims and antivirus products that focused on the adware may have missed a potentially more serious threat, said security researcher Chris Boyd of FaceTime Communications Inc. of Foster City, Calif.

'They probably completely missed the rootkit component,' he said.

The rootkit buries itself in the operating system, modifying the kernel to hide its presence and protect itself in order to keep the infected PC vulnerable to the attacker.

'In many ways, rootkits do the same things Trojan horses do,' Boyd said. But while Trojan horses are visible programs masquerading as benign software, 'the thing about a rootkit is that it doesn't want you to know it's there.'

In fact, rootkits can be so difficult to de- tect that the Homeland Security Department is spending about $1 million to help develop a tool that promises to find and eliminate them.

'This technology is attractive because it could be easily commercialized to produce one more level of assurance' on servers and PCs, said Douglas Maughan, cybersecurity program manager at DHS' Homeland Security Advanced Research Projects Agency.

Agency security pros should take note.

Based in university research

HSARPA turned to Komoku Inc., a small start-up founded by University of Maryland computer science professor Bill Arbaugh. 'We have taken some research from the university that deals with rootkits,' said Arbaugh. 'We came up with a way to determine whether the operating system has been modified with a rootkit. HSARPA liked that and asked us to turn it into a product.'

Komoku is a six-person operation, with half of its manpower at company headquarters in College Park, Md., and the other three in a San Francisco Bay Area office. The small firm teamed with Symantec Corp. of Cupertino, Calif., for the HSARPA project. Symantec provides malware removal and restoration software for the tool.

'We're in the preproduct stage,' Arbaugh said. A prototype is currently in testing at an undisclosed government site. 'Our hope is that we'll be ready a year from now for product sales. We're pushing things aggressively.'

Komoku got $600,000 from HSARPA this summer to develop its Copilot monitoring tool for a year, and will receive a similar amount for a second year of testing. The program is one of 17 funded as a result of a 2004 HSARPA solicitation for cybersecurity projects.

'We will spend about $13 million' on the projects, Maughan said. 'Some of them are 12-month projects, some are 36 months.'

HSARPA is the DHS Science and Technology Directorate's industry research and development program. It helps fulfill the call in the National Strategy to Defend Cyberspace for more robust commercial and academic R&D programs. The money goes to commercial enterprises for product development and testing. The products are expected to have broad commercial applicability rather than be government-specific.

'We view the end user to be industry,' because the private sector owns most of the critical infrastructure DHS is trying to protect, Maughan said.

HSARPA had an $18 million budget for fiscal 2005, and $16.7 million was ap- proved in October for 2006.

The Komoku project caught HSARPA's eye because rootkits, originally developed to get 'root' or administrator privileges on Unix boxes, are becoming more common for widely deployed Microsoft Windows systems. Because they alter the operating system, detection tools running under the infected OS cannot be trusted to find them. Rootkits can turn the tools off, hide from them, or simply convince the tool it is not the malware being sought'like a Jedi clouding the mind of an imperial storm trooper.

Arbaugh began his research on rootkit detection about five years ago in the computer science department.

The tool he came up with checks the operating system to see that certain constants in the OS remain unchanged from scan to scan, and also compares ranges of values from different areas of the OS. These changes not only can help detect a hidden rootkit, but also help guard against random system failures.

Copilot works by understanding the operating system rather than the rootkit. As Arbaugh explains it, the Secret Service finds counterfeits by studying real $100 bills, not every counterfeit bill.

Making this tool independent of the OS is important, so Komoku has developed Copilot in hardware. It resides on a PCI card for desktop PCs and servers and can scan the system in near-real time. There is also a software version, which probably will not provide the same level of assurance but which will cost less.

But running from an add-in card improves the tool's performance as well as security.

'The hardware version doesn't take any cycles from the CPU,' Arbaugh said. 'All we do is take some bandwidth from the bus.'

But this still can result in a 3 or 4 percent decrease in performance, which on a Web server could be noticeable. Arbaugh said he hopes to improve that efficiency as the product is developed.

Rooting out a rootkit

Once a rootkit is detected, cleaning up an infected computer remains difficult. It has to be shut down and reformatted or restored from a back-up disk. Symantec is going to help automate this process.

'We're providing the rapid rebuilding,' said Brian Witten, Symantec's director of government research.

Symantec's LiveState family of restoration products will be incorporated in Copilot. LiveState Recovery returns a computer to a trusted state, and LiveState Delivery can centralize provisioning, configuration and updating of workstations.

HSARPA also hopes Symantec's customer base will help Komoku when Copilot is ready for the market. After all, Arbaugh's background is academic, not business.

'There is a huge difference between the lab and the field,' he said. The field is an uncontrolled environment with an almost infinite number of hardware-software permutations that must be dealt with. 'The only way you can test that is to try it on boxes and see if it works.'

If it works, HSARPA hopes Symantec will help shepherd Copilot to customers. 'In this case, Symantec is a very good partner for the Komoku guys,' Maughan said.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above