Man, I really hate those bloodsuckers behind all of the malicious rootkit activity.
A startup funded by the U.S. government’s Defense Advanced Research Projects Agency is ready to emerge from stealth mode with hardware- and software-based technologies to fight the rapid spread of malicious rootkits.
Komoku, of College Park, Md., plans to ship a beta of Gamma, a new rootkit detection tool that builds on a prototype used by several sensitive U.S. government departments to find operating system abnormalities that may be linked to malicious rootkit activity.
This is one of those cases where the government is actually doing something right.
Komoku’s patent pending Copilot host monitor can detect and help recover from rootkits and spyware by independently monitoring the integrity of the OS kernel. All the while your host remains operational. For more complex host based defenses, the INHIBT central management station is a light-weight distributed manager for host based defenses.
Maybe this represents the beginning of the end for this crap.
I never understood why an OS would be allowed to have programs that can hide themselves from even the OS… isn’t there a way to just have all programs visible in a tasklist, then there would be no rootkits?
I’m not a low-level programmer, but I suspect it has to do with either performance or backward-compatibility.
As I remember, at least some rootkits hide themselves by editing the linked list which shows running tasks. Changing to a system by which the programs only have read access would break the ABI and the API because, even in object-oriented languages with public/protected/private access control, you can’t say “This stuff is read-only outside of the following places”. Therefore, the only option would be to switch from directly accessing the memory to calling a function to retrieve the info. That requires changes in the applications which use it, as well as slowing things down a bit by adding extra stack traversal.
Of course, that’s just me talking from a fairly basic knowledge of C and C++, so don’t take it as expert advice. I just wish I knew why programs keep running when detached from that linked list.