RE: eWeek: Government-Funded Startup Blasts Rootkits

["Larry Seltzer" <larry () larryseltzer com>]

> > http://www.komoku.com/pubs/USENIX-copilot.pdf
> > "The monitor is an Intel StrongARM EBSA-285 Evaluation Board - a
single-board computer on a PCI add-in card inserted into the host's PCI bus.
The monitor retrieves parts of host RAM for examination through Direct
Memory Access (DMA) without the knowledge or intervention of the host
kernel."

This is all well and good and I see the value since the coproc is both
real-time and off-line. I admit I haven't read all the paper, but I still
don't know how it's supposed to tell the difference between legitimate and
malicious behavior.

It looks like the main thing Co-Pilot does is to monitor changes to key jump
tables in the kernel. I think the key analogous structure in the Windows
kernel is called the system service table. But aren't there legitimate
reasons for software to hook it? Anti-virus software for example. I don't
really know if legit software ever uses the same techniques, I'm genuinely
curious. Where's Mark Russinovich when you need him?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.