1) what is a "rootkit"? ...from http://en.wikipedia.org/wiki/Rootkit

A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user's knowledge. Rootkits are known to exist for a variety of operating systems such as Linux, Solaris and versions of Microsoft Windows. A computer with a rootkit on it is called a rooted computer. The word "rootkit" came to public awareness in the 2005 Sony CD copy protection controversy, in which Sony BMG music CDs placed a rootkit on Microsoft Windows PCs.

2) why should I know about rootkits? while the incidents of exploits by viruses, trojan horses, malware, and rootkits is low in the OS X world, with the advent of Apple's BootCamp (http://www.apple.com/ macosx/bootcamp/) in addition to such "virtualization" software as Parallels (http://www.parallels.com), more Macintosh users will also be running Windows operating systems - the target of most exploits these days. Without the proper due diligence (keeping updates current, great caution with email attachments, etc.) any operating system can be exploited.

[NOTE: simply put, "virtualization" in the computer world refers to "the ability to run more than one operating system at a time". For example, you could be simultaneously running OS X and it's available applications, Windows XP and it's available applications, as well as LINUX and it's available applications. For more information on "virtuallization" please see http://en.wikipedia.org/wiki/ Virtualization.]

------------------- Now, having given some background, forward to the DARPA related article....

...from: http://www.baselinemag.com/article2/0,1540,1952802,00.asp

Symantec's LiveState product combines with CoPilot and Gamma to restore the system to its original state. Government-Funded Startup Blasts Rootkits By Ryan Naraine

A startup funded by the U.S. government's Defense Advanced Research Projects Agency is ready to emerge from stealth mode with hardware- and software-based technologies to fight the rapid spread of malicious rootkits. Komoku, of College Park, Md., plans to ship a beta of Gamma, a new rootkit detection tool that builds on a prototype used by several sensitive U.S. government departments to find operating system abnormalities that may be linked to malicious rootkit activity.

A rootkit modifies the flow of the kernel to hide the presence of an attack or compromise on a machine. It gives a hacker remote user access to a compromised system while avoiding detection from anti- virus scanners.

The company's prototype, called CoPilot, is a high-assurance PCI card capable of monitoring the host's memory and file system at the hardware level. It is specifically geared towards high-security servers and computers.

Gamma, meanwhile, is a separate, software-only clone of CoPilot that will target businesses interested in a low-assurance tool for protecting laptops and personal computers.

Komoku launched quietly in 2004 with about $2.5 million in funding and rootkit detection contracts from DARPA, the Department of Homeland Security and the U.S. Navy.

The company has its roots at the University of Maryland, where computer scientist William Arbaugh worked on what he calls a "unique approach" to finding rootkits.

Microsoft says it is becoming impossible to recover from sophisticated forms of malware. Click here to read more.

"Security technologies depend on the correctness of the system they're actually checking," said Arbaugh, who now serves as president of the five-employee outfit.

"If something changes the system at the operating system level, it can't be reliably detected via the OS itself or through applications running on the system," he said in an interview with eWEEK.

"We have this notion of what the operating system is supposed to look like and we look for deviations [from] that. We aren't initially looking for the rootkit; we look at the side effects of the infection."

Komoku has partnered with security vendor Symantec to handle disinfection and restoration after rootkits and other sophisticated forms of malware are detected.

Jamie Butler, a renowned rootkit researcher who works as Komoku's chief technical officer, said Gamma will have limited clean-up capabilities because it is software-based and susceptible to direct attack, much like any application running on the operating system.

"Clean-up is a very difficult goal while maintaining a running system. When you find a rootkit, you essentially have several choices. The easiest choice is to halt the system. But, that means that you'll lose any evidence that might be in memory. It also means that the services provided by that system are made unavailable," Butler explained.

Another choice might be to eliminate the effects of the rootkit, but this could be very difficult because of the complicated nature of an operating system.

A third choice would be to allow the rootkit to remain active while you attempt to discern its motives, Butler added, noting that both Gamma and CoPilot will allow all three of these choices.

The plan is to have both the hardware and software versions collect forensic data when a compromise is detected. Butler said products are able to capture hidden malware in memory and send it back to a central management station where the products are running in enterprise mode.

-------------------------- ...for more information on rootkits and efforts being undertaking for their detection, please see: http://www.phrack.org/phrack/63/ p63-0x08_Raising_The_Bar_For_Windows_Rootkit_Detection.txt