Intel Researchers Sneak Up on Rootkits

[David Farber <dave () farber net>]

Begin forwarded message:

From: Dewayne Hendricks <dewayne () warpspeed com>
Date: December 14, 2005 10:48:10 AM EST
To: Dewayne-Net Technology List <dewayne-net () warpspeed com>
Subject: [Dewayne-Net] Intel Researchers Sneak Up on Rootkits
Reply-To: dewayne () warpspeed com

[Note:  This item comes from reader Randall.  DLH]

> From: Randall <rvh40 () insightbb com>
> Date: December 13, 2005 11:15:18 AM PST
> To: JMG <johnmacsgroup () yahoogroups com>
> Cc: Dewayne Hendricks <dewayne () warpspeed com>
> Subject: Intel Researchers Sneak Up on Rootkits
>
> <http://www.eweek.com/print_article2/0,1217,a=167252,00.asp>
>
> Intel Researchers Sneak Up on Rootkits
> December 12, 2005
>
> By John G. Spooner and Ryan Naraine
>
> Intel Corp.'s researchers are working to outwit cyber attackers,
> including those employing stealthy rootkits.
>
> The chip maker's Communications Technology Lab, in a project called
> System Integrity Services, has created a hardware engine to sniff out
> sophisticated malware attacks by monitoring the way operating systems
> and critical applications interact with hardware inside computers.
>
> By watching a computer's main memory, the System Integrity Services  
> can
> detect when an attacker takes control of the system—such attacks sever
> the ties between data loaded into memory by an application and the
> application itself—and can fool a system so as to avoid detection  
> while
> potentially allowing for surreptitious pilfering of data or the
> perpetration of other attacks.
>
> "Our threat model assumes that the attacker gets on the system somehow
> and has unrestricted access to the system," said Travis Schluessler, a
> security architect inside Intel's Communications Technology Lab.
>
> System Integrity Services "assumes [the attacker] will modify what's
> running in memory to fool anti-virus software or change firewall  
> rules…
> so as to put the system in state where he can do whatever he wants."
>
> The System Integrity Service's hardware, however, can detect those
> intrusions by monitoring the interactions between the applications and
> memory.
>
> Once it discovers an intrusion, it can issue an alert. Thus it sets  
> the
> bar much higher for malware being able to compromise system without
> being detected, Schluessler said.
>
> Researchers tested the system with a kernel debugger, an application
> whose behaviors and ability to make system changes are similar to that
> of a rootkit, to prove its effectiveness, he said.
>
> Although it might not make it to market immediately, Intel's
> anti-malware research comes at a time when anti-virus vendors are
> struggling to cope with the use of stealth rootkits in malware  
> attacks.
>
> Using rootkit techniques, malware writers are able to gain
> administrative access to compromised machines to silently run  
> updates to
> the software or reinstall malicious programs after a user deletes  
> them.
>
> Click here to read more about where rootkits come from.
>
> If it were to be put into a product platform, Intel's System Integrity
> Services could be used in conjunction with other elements,  
> including the
> Intel Active Management Technology for monitoring hardware, and could
> also be used in concert with other research projects such as Circuit
> Breaker.
>
> Circuit Breaker, a research project that might also someday find  
> its way
> into products regulates an infected computer's access to a network.
>
> Such a combination might help quickly head off widespread infections,
> which can cost companies not only in data theft by also in reduced
> employee productivity due to computer downtime and heavy use of IT
> resources to clean them up, the Intel researcher said.
>
> Indeed, in one example, "Once System Integrity Services has detected a
> problem, it can tell Circuit Breaker to turn [a machine] off the  
> primary
> network and switch it over to a remediation network," he said.
>
> Next Page:  A focus on security.
>
> The System Integrity Services project is part of a broader focus on
> security inside Intel's labs.
>
> That focus has been brought about by the chip maker's recent shift to
> designing platforms around devices such as servers or desktop PCs.
>
> Unlike when it sold chips individually, the platform design  
> strategy has
> Intel creating numerous add-ons, which include features such as
> virtualization and the Intel Active Management Technology, which are
> designed to increase the usability and manageability of desktops,
> notebooks and servers.
>
> Many of Intel's more advanced worm and virus detection technology are
> still at the research stage today—some of Intel's other projects  
> include
> worm signature detectors called autograph and polygraph—but it could
> easily wind up as features inside Intel's future product platforms.
>
> Aside from being used to improve the products for customers, they  
> could
> also be added to bolster Intel's competitiveness versus its rival
> Advanced Micro Devices Inc.
>
> The System Integrity Services' prototype hardware uses one of Intel's
> Xscale processors, which Schluessler said was overkill, and plugs  
> into a
> PCI slot.
>
> A future version could potentially be built for a relatively small fee
> and included with Intel platforms, not unlike the way it packages
> wireless modules with its processors and chipsets for its Centrino- 
> brand
> notebooks.
>
> "You can tie this technology in with AMT and the CPU [in each machine]
> and all of a sudden you've got something that's more than the sum  
> of its
> parts," Schluessler said.
>
> Aside from working with Intel's own platforms, the technologies  
> could be
> also tied in with products from Intel's close partners, including
> operating system and application vendors, the company's researchers  
> have
> said.
>
> "We said, 'What kind of things can we do to address these challenges?'
> That has driven a lot of the platform thinking, whether it's VT [Intel
> Virtualization Technology] or active management, and how all those
> things work together," said Dylan Larson, network security initiatives
> manager at Intel's Communications Technology Lab, in a recent  
> interview
> with Ziff Davis Internet.
>
> "We've had security expertise and lots of competency in this space  
> for a
> long time. Now we're looking at this even more from a platform  
> level on
> how we can bring these things together to drive new value to
> customers."
>
> The lab is also working on a projects called Autograph and Polygraph
> projects, which are designed to help prevent large-scale worm  
> infections
> altogether by analyzing individual worms and quickly publishing  
> data on
> how to detect them.
>
> Click here to read more about the damage caused by the Code Red worm.
>
> Autograph and Polygraph employ a combination of heuristics and good  
> old
> sleuthing to track down worms and locate their signatures—or the  
> unique
> pattern of data required for its particular exploit—and then notify
> other systems with those signatures so that they can move to identify
> and block the worm, said Brad Karp, at Intel Research Pittsburg, a lab
> located on the campus of Carnegie Mellon University.
>
> Autograph's source code has been made available for download via the
> university's Web site, and Karp and his team are also working on a
> Polygraph, a similar program which can sniff out so-called polymorphic
> worms, which change each time they replicate in an effort to cover up
> their signatures and thwart the defense used in Autograph.
>
> The next step for the Systems Integrity Services now lies with Intel's
> platform development teams, which will make the call on whether or not
> to add the technology to its future systems, Schluessler said.

Weblog at: <http://weblog.warpspeed.com>



-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/