LynuxWorks rootkit detector adds hardware punch to security scanning
- By John Breeden II
- Sep 20, 2013
Sometimes even the most robust software-based security is vulnerable to rootkit infection. The stealthy programs can get into the heart of a computer, gaining control for malicious purposes, and sometimes remain hidden while doing so. Software monitoring is at a disadvantage because it too can become a target of the malware. It's kind of like hunting sharks while swimming through the same water. You might find the shark, but you might get bitten, too.
LynuxWorks is stepping up the battle with the release of the first hardware-based rootkit detection system powered by the LynxSecure separation kernel. Called the RDS5201, it combats and detects stealthy advanced persistent threats. Built on the LynxSecure 5.2 separation kernel and hypervisor, this small form factor appliance has been designed to offer a unique detection capability that complements traditional security mechanisms as they try to protect against the growing number and complexity of cyber threats.
The RDS5201 rootkit detection system is a custom-built hardened appliance, which detects low-level, zero-day rootkits, the most lethal payload of malware. The detection is direct, not done by statistical analysis or other indirect techniques, and is coupled with immediate, automated, live visual forensic data. The RDS5201 serves as a smart proactive sensor against attacks in IT networks and reduces the agonizing job of detecting rootkits from weeks or months to seconds. It is the first technology capable of detecting and alerting against such threats in real-time, LynuxWorks said.
“Rootkits are becoming stealthier, more potent and more complex. The threat from them is becoming more prevalent, as exploit kits are commercially available and are easier to use. Recent research is showing that seven of the top 10 threats in 2012 were rootkits and that the number of boot-level rootkits increased dramatically,” said Avishai Ziv, vice president of Cyber Security Solutions at LynuxWorks. “The normal endpoint and network protection mechanisms simply cannot prevent, or even detect them until it is too late and hence the need for a new type of security product, such as the RDS5201, to help give early warning for these threats as they infect our enterprise networks.”
Rootkits work at the lowest levels of the operating system they intend to attack. Common detection and prevention mechanisms are part of the “attack target,” allowing rootkits to disable the installed anti-malware client applications. The only way to overcome low-level rootkits is by allowing the security application to execute with a higher security privilege than the attacked OS. It must also be self-protecting, non-bypassable and tamper-proof.
Upon detection, the RDS5201 immediately alerts and sends an automated live forensics report to its dashboard. The report contains visual representation such as the clean and infected disk sectors in-memory data structures, allowing rapid and focused threat response. The RDS5201 can also be connected to other network protection systems such as SIEM and threat management systems, offering an early warning mechanism that complements and enhances existing security solutions.
John Breeden II is a freelance technology writer for GCN.