Security newcomer thwarts attacks at Windows kernel

A company led by former Microsoft employees has developed security software that hooks into the APIs of the Windows processes.

This Content Component encountered an error

A company led by executives with deep roots in Microsoft Windows has a plan for stopping browser-based malware attacks in the enterprise by identifying and blocking rogue threats at the operating system kernel.

Haute Secure, based in Seattle, recently released a beta of its namesake product for Internet Explorer browsers that reportedly protects users as they surf the Web. The company said it also has plans to include technology to protect other browsers such as Mozilla Firefox and Apple Computer Inc.'s Safari.

More on Windows kernel-level security:
New Trojan, kernel-level rootkit have 'frightening capabilities'

Vista kernel limits have security vendors on edge

Microsoft, security vendors get to the kernel of the matter

Other plans include the ability to turn on different features in Haute Secure's product that could monitor other desktop applications such as Microsoft Word and Adobe Acrobat. Haute Secure said it may also develop a fee-based service for Web site owners that would alert them to malware hackers left on their sites and the malware's exact location.

The technology Haute Secure uses is a software driver installed at the OS kernel level, where it hooks into the application programming interfaces, or APIs, of the 70 or so Windows processes, said Steve Anderson, head of product strategy for Haute Secure. These hooks allow it to create a "soft sandbox," where it monitors and blocks suspicious activity, including rootkits, based on behavioral algorithms.

Detects malware by examining behavior

Monitoring the behavior it sees, the product can detect malware even if the user is the first one to come across it, said Anderson. Should that be the case, the information is sent back to Haute Secure, which uses it to update its other customers' networks.

The product also has a list of known "bad" sites, which is updated several times a day as an extra layer of protection, Anderson said. The Haute Secure product blocks the malware portion of a Web page and allows access to the remaining "good" content, he said. It also gives users warnings -- a red alert tells users that it has stopped an attack; and an orange alert warns users they are entering a Web site known to have malicious links.

Anderson said that the product's ability to find malware in ads on legitimate Web sites allows users to surf without getting a "drive-by download."

Four of the top executives at Haute Secure come from Microsoft: Anderson, who was a Windows Server senior product manager; Iain Mulholland, a former security strategist and manager of the Microsoft Security Response Center; Frank Swiderski, who worked in malware analysis and software security; and Rob Vucic, who worked on several security projects, including Microsoft's Secure Windows Initiative Internet Crime Investigations team.

Anderson said their time at Microsoft made them aware of how quickly security risks were growing, and technological answers weren't keeping up. "The bad guys are so good at this, and they hide it so well that you can't find it. We wanted to change that," he said.

'Sandbox' technology for security

They're not alone in that space. Google recently bought GreenbBorder Technologies Inc., based in Mountain View, Calif., which runs all Web application sessions through a sandbox and protects any malware from attacking the OS. Once the Web sessions end, it gets rid of any content.

Another example is Israeli-based Pelican Security Inc., which Microsoft acquired in 2003. Pelican Security's technology allows a sandbox to be created so that rogue actions by authorized applications could be found, according to Pete Lindstrom, a senior analyst with the Burton Group, a research company based in Midvale, Utah.

Many security specialists are now focusing on protecting Web 2.0 technologies, which are Web-based and often include online sharing and collaboration devices such as wikis and social networks. "We need more solutions for Web 2.0 security because those applications are ripe for compromise," Lindstrom said. "All the different ways that Web technology is getting poked, prodded and abused and is used to attack any weakness in your networks means everyone has to be working harder on solutions."

Dig deeper on Enterprise Infrastructure Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close