Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, December 13, 2005

Intel Researchers Sneak Up on Rootkits

The chip maker’s Communications Technology Lab, in a project called System Integrity Services, has created a hardware engine to sniff out sophisticated malware attacks by monitoring the way operating systems and critical applications interact with hardware inside computers.

By watching a computer’s main memory, the System Integrity Services can detect when an attacker takes control of the system.such attacks sever the ties between data loaded into memory by an application and the application itself.and can fool a system so as to avoid detection while potentially allowing for surreptitious pilfering of data or the perpetration of other attacks.

“Our threat model assumes that the attacker gets on the system somehow and has unrestricted access to the system,” said Travis Schluessler, a security architect inside Intel’s Communications Technology Lab.

If it were to be put into a product platform, Intel’s System Integrity Services could be used in conjunction with other elements, including the Intel Active Management Technology for monitoring hardware, and could also be used in concert with other research projects such as Circuit Breaker.

Such a combination might help quickly head off widespread infections, which can cost companies not only in data theft by also in reduced employee productivity due to computer downtime and heavy use of IT resources to clean them up, the Intel researcher said.

Indeed, in one example, “Once System Integrity Services has detected a problem, it can tell Circuit Breaker to turn [a machine] off the primary network and switch it over to a remediation network,” he said.

That focus has been brought about by the chip maker’s recent shift to designing platforms around devices such as servers or desktop PCs.  Unlike when it sold chips individually, the platform design strategy has Intel creating numerous add-ons, which include features such as virtualization and the Intel Active Management Technology, which are designed to increase the usability and manageability of desktops, notebooks and servers.

Many of Intel’s more advanced worm and virus detection technology are still at the research stage today.some of Intel’s other projects include worm signature detectors called autograph and polygraph.but it could easily wind up as features inside Intel’s future product platforms.  Now we’re looking at this even more from a platform level on how we can bring these things together to drive new value to customers.”

The lab is also working on a projects called Autograph and Polygraph projects, which are designed to help prevent large-scale worm infections altogether by analyzing individual worms and quickly publishing data on how to detect them.  Autograph and Polygraph employ a combination of heuristics and good old sleuthing to track down worms and locate their signatures.or the unique pattern of data required for its particular exploit.and then notify other systems with those signatures so that they can move to identify and block the worm, said Brad Karp, at Intel Research Pittsburg, a lab located on the campus of Carnegie Mellon University.,1895,1900533,00.asp

Posted on 12/13