Intel working on rootkit detection techniques

Intel is working on a research project that would have allowed PC users to detect Sony's XCP rootkit when it was first installed.

Intel is working on a research project that would immediately notify PC users if they inadvertently download a rootkit like the XCP (extended copy protection) software found on certain music CDs shipped by Sony, researchers said Tuesday.

Intel held an open house for press, analysts, students and employees in Folsom, California, Tuesday to showcase some of its projects and talk a little about its vision of the future of computing. That future involves relieving humans of serving as the gatekeepers for reams of information flowing between computers and people, said David Tennenhouse, vice president of Intel's Technology Group and director of research at the company.

"We need to connect the computers directly to the data, so the human beings don't have to be the I/O channel, and elevate the role of the human being to a more supervisory role," Tennenhouse said.

One interesting project involves placing a small chip on a PC's motherboard to constantly monitor programs for modifications that might be the result of a malicious attack, said Travis Schluessler, a researcher with Intel.

Sony's XCP software implemented copy-protection policies with rootkit software. Rootkits are pieces of software designed to access a system and make changes or implement policies without being detected by the operating system or antivirus software. Security experts say malicious hackers might have used Sony's rootkit software to launch undetectable attacks.

Security vendors recently admitted that Sony's XCP rootkit caught them by surprise, even though it had been installed on thousands of systems for months before an independent researcher identified it, and their products need significant upgrades to detect rootkits.

The idea behind the Intel project is to protect systems from malicious programs that make their way onto a system and attack application software running in the system's memory, Schluessler said. Many modern worms and viruses, such as the Slammer and Blaster worms, attempt to disable programs running in memory or alter those programs to run the attacker's code and then propagate themselves across a network, he said.

The succinctly named "OS Independent Run-Time System Integrity Services" project attempts to limit memory-resident attacks by detecting changes in application code as they happen, allowing IT administrators to take immediate action, Schluessler said. Under this scenario, an "integrity measurement manager" running on a chip outside of the main CPU (central processing unit) or memory would identify a rootkit or malware that started to make changes to the program in memory. That detection would trigger any number of responses set by the IT department.

For example, an infected PC could be set to immediately detach from the network when an alert is triggered, preventing the worm or attack from spreading beyond that PC, Schluessler said. The alert could also send an e-mail or pop-up message to the network administrator informing them of the intrusion.

Intel doesn't expect its project to take the place of antivirus or antispyware software, but believes it could supplement them, Schluessler said. Malware often attempts to shut down or alter antivirus software to make way for future attacks, and this project could back up the antivirus software, or "check the checker," he said.

However, Intel's project is a long way from appearing in new PCs. The project is tentatively scheduled to become part of Intel's products around 2008 or 2009, Schluessler said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tom Krazit

IDG News Service
Show Comments

Brand Post

Bitdefender 2019

Taking cybersecurity to the highest level and order now for a special discount on the world’s most awarded and trusted cybersecurity. Be aware without a care!

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?