Subscribe to the Free Print Edition!
Celebrating 25 Years

GCN Home > 12/12/05 issue

DHS to help defend networks against the newest threats

By William Jackson, GCN Staff

Research into “rootkit” removal could provide an effective tool against malware

A new worm began making the rounds recently on the AOL Instant Messenger network, installing an adware bundle on compromised computers.

But victims and antivirus products that focused on the adware may have missed a potentially more serious threat, said security researcher Chris Boyd of FaceTime Communications Inc. of Foster City, Calif.

“They probably completely missed the rootkit component,” he said.

The rootkit buries itself in the operating system, modifying the kernel to hide its presence and protect itself in order to keep the infected PC vulnerable to the attacker.

“In many ways, rootkits do the same things Trojan horses do,” Boyd said. But while Trojan horses are visible programs masquerading as benign software, “the thing about a rootkit is that it doesn’t want you to know it’s there.”

In fact, rootkits can be so difficult to de- tect that the Homeland Security Department is spending about $1 million to help develop a tool that promises to find and eliminate them.

“This technology is attractive because it could be easily commercialized to produce one more level of assurance” on servers and PCs, said Douglas Maughan, cybersecurity program manager at DHS’ Homeland Security Advanced Research Projects Agency.

Agency security pros should take note.

Based in university research

HSARPA turned to Komoku Inc., a small start-up founded by University of Maryland computer science professor Bill Arbaugh. “We have taken some research from the university that deals with rootkits,” said Arbaugh. “We came up with a way to determine whether the operating system has been modified with a rootkit. HSARPA liked that and asked us to turn it into a product.”

Komoku is a six-person operation, with half of its manpower at company headquarters in College Park, Md., and the other three in a San Francisco Bay Area office. The small firm teamed with Symantec Corp. of Cupertino, Calif., for the HSARPA project. Symantec provides malware removal and restoration software for the tool.

“We’re in the preproduct stage,” Arbaugh said. A prototype is currently in testing at an undisclosed government site. “Our hope is that we’ll be ready a year from now for product sales. We’re pushing things aggressively.”

More news on related topics: IT Security, Homeland Security



GCN Popup