Intel Working on Rootkit Detection Techniques

FOLSOM, CALIFORNIA -- Intel is working on a research project that would immediately notify PC users if they inadvertently download a rootkit such as the XCP (extended copy protection) software found on certain music CDs shipped by Sony, researchers said Tuesday.

Intel today held an open house for press, analysts, students, and employees in Folsom, California, to showcase some of its projects and to talk a little about its vision of the future of computing. That future involves relieving humans of the job of serving as gatekeepers for reams of information flowing between computers and people, said David Tennenhouse, vice president of Intel's technology group and director of research at the company.

"We need to connect the computers directly to the data, so the human beings don't have to be the I/O channel, and elevate the role of the human being to a more supervisory role," Tennenhouse said.

Intel's project is a long way from appearing in new PCs, however. The project is tentatively scheduled to become part of Intel's products around 2008 or 2009, according to Travis Schluessler, a researcher with Intel.

Constant Program Monitor

One interesting project involves placing a small chip on a PC's motherboard to monitor programs constantly for modifications that might be the result of a malicious attack, Schluessler said.

Sony's XCP software used rootkit software to implement copy protection policies. Rootkits are pieces of software designed to access a system and make changes or implement policies without being detected by the computer's operating system or antivirus software. Security experts say that malicious hackers might have used Sony's rootkit software to launch undetectable attacks.

Security vendors recently admitted that Sony's XCP rootkit caught them by surprise--even though it had been installed on thousands of systems for months before an independent researcher identified it--and that their products need significant upgrades to detect rootkits.

The Intel project seeks to protect systems from malicious programs that make their way onto a system and attack application software running in the system's memory, Schluessler said. Many modern worms and viruses, such as the Slammer and Blaster worms, attempt either to disable programs running in memory or to alter those programs so that they run the attacker's code and then propagate themselves across a network, he said.

Detect Changes in Application Code

The succinctly named "OS Independent Run-Time System Integrity Services" project focuses on limiting memory-resident attacks by detecting changes in application code as they happen, enabling IT administrators to take immediate action, Schluessler said. Under this scenario, an "integrity measurement manager" running on a chip outside the main CPU or memory would identify a rootkit or malware that started to make changes to the program in memory. Such detection could trigger any number of responses set by the IT department.

For example, an infected PC could be set to immediately detach from the network when an alert is triggered, preventing the worm or attack from spreading beyond that PC, Schluessler said. The alert could also send an e-mail or pop-up message to the network administrator warning of the intrusion.

Intel doesn't expect its project to supplant antivirus and antispyware programs, but it believes that the project could complement them, Schluessler said. Malware often attempts to shut down or alter antivirus software to make way for future attacks, and this project could back up the antivirus software, or "check the checker," he said.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon