LynuxWorks, a provider of tools and technologies for the embedded software market, today announced the RDS5201, a new product designed to help detect the stealthiest of advanced persistent threats (APT), the rootkit.
The RDS5201 Rootkit Detection System is a custom-built hardened appliance, which detects low-level, zero-day rootkits, often the payload of advanced threats.
Built on the LynxSecure 5.2 separation kernel and hypervisor, the RDS5201 is a small form factor appliance designed to offer a unique detection capability that complements traditional security mechanisms, the company said.
The detection is direct (i.e., not done by statistical analysis or other indirect techniques) and is coupled with immediate, automated, live visual forensic data.
“Rootkits are becoming stealthier, more potent and more complex. The threat from them is becoming more prevalent, as exploit kits are commercially available and are easier to use. Recent researches are showing that seven of the top ten threats in 2012 were rootkits and that the number of boot-level rootkits increased dramatically,” said Avishai Ziv, vice president of Cyber Security Solutions at LynuxWorks. “The normal endpoint and network protection mechanisms simply cannot prevent, or even detect, them until it is too late and hence the need for a new type of security product, such as the RDS5201, to help give early warning for these threats as they infect our enterprise networks.”
Rootkits work at the lowest levels of the operating system (OS) they intend to attack. Common detection and prevention mechanisms are part of the “attack target,” allowing rootkits to disable the installed anti-malware client applications. The only way to overcome low-level rootkits is by allowing the security application to execute with a higher security privilege than the attacked OS; provide complete control of the platform hardware; and monitor all activities of the OS and its applications. It must also be self-protecting, non-bypassable and tamper-proof.
The LynxSecure separation kernel and hypervisor offers what the company says is a “non-detectable secure platform” that is used to exercise potential infections, revealing stealthy threats as they attack their virtual victim. LynxSecure is the most privileged monitor in the RDS5201 platform, and constantly monitors for malicious and irregular activity in key disk areas (MBR, key blocks and sectors); physical memory areas; CPU instructions and data structures; interrupt data structures etc., the company explained.
This detection is completely OS agnostic, as it’s situated below any of the guest OS. Upon detection, the RDS5201 alerts and sends an automated live forensics report to its dashboard, including detailed information such as the clean and infected disk sectors, in-memory data structures, and more. The RDS5201 can also be connected to other network protection systems such as SIEM and threat management systems, offering an early warning mechanism that complements and enhances existing security solutions, the company said.