Announcing Helios Lite

We're pleased to announce a new version of Helios called Helios Lite. After listening to feedback from the community and upgrading a lot of our detection technology, we are releasing Helios Lite.

Helios Lite is a rootkit detection product based on some of the components of the Helios rootkit detection technologies. It is an implementation of the idea of Cross View Detection for the detection of persistent and non-persistent rootkits. It successfully detects a large number of user mode and kernel mode rootkits including Hacker Defender, Vanquish, Fu, FuTo, phide_ex and Unreal.A. It searches for hidden processes, hidden files as well as hidden registry keys.

Helios Lite was designed to be quick and portable, it does not require installation and can be run off a USB drive. The only prerequisites are that it is run as a system administrator. This release of Helios does not require the .Net Framework and will work on any system with Windows XP SP2 system. For using all the features, an NTFS formatted system disk is recommended. The addition of the word 'Lite' to the name does not represent a lesser set of features, this version of Helios is even more powerful than the earlier release. We've called it 'Lite' simply because it has very minimal system requirements and does not need installation.

You can download the latest version of Helios Lite from here.
A comprehensive user's manual is included with the zip file to explain how to use Helios Lite and understand it's output. As usual, please direct all feedback to helios@miel-labs.com.

IT Innovation Awards

We're pleased to announce that we have been shortlisted with 6 other companies across India for the NASSCOM IT Innovation Awards 2006 for our work on rootkit detection. We have been shortlisted for innovation in the category of an 'emerging company'.

Our team presented our latest work on behavioural detection and artificial intelligence for malware management in Bangalore to the NASSCOM Awards panel comprising of IT industry luminaries and venture capitalists.

The link to the NASSCOM press release has more details. A picture of the trophy we recieved is shown alongside. You can view a larger version by clicking on the image.


Though we've not updated the page in awhile, we've been busy coming up with a whole lot of new technology over the last few months and MIEL-Labs will soon have more technology offerings in the security space. We plan also on offering custom security application development as a service.

SANS Handler Review

Helios got mentioned by SANS handler Lenny Zeltser in todays Handlers Diaries. His ideas about using rootkit detection for incident handling are in line with a set of features that we plan to roll out (stuff like offline analysis with live-cds etc). You can read the diary entry here.

At MIEL Labs we're big followers of the SANS handlers diaries and would like to commend them on keeping us all up to date on the state of the 'Net.

The review mentions incorrectly that Helios does not detect the FuTo rootkit. The reason it was not detected in their tests was that the 'Advanced Detection' thread level detection feature was not enabled. When this feature is enabled, the second a hidden process gets CPU time, it will be detected. This can be seen in any of the FuTo videos on our videos page.

Look for a new version with more features based on community feedback very soon. We'll post here when it is updated.

Answering Concerns

First off, thanks for the feedback -- here are a few responses to questions people have raised:

1. Why .Net? - We're not.big .Net fans either. If you read the whitepaper, you'll notice that we are expressly not concerned with developing the GUI. The goal is to extend a set of API's for rootkit detection that other tools can call into. The current GUI is only used to demonstrate this, and is written in .Net because that was the quickest way to slap a GUI together. However, point noted, we will look at developing frontends and interfaces using the MFC. However, obviously our priorities are on developing core detection technology.

2. Patents –We know that nobody can patent public domain material. What you see on the website is the PUBLIC RELEASE of Helios. There are indigenously developed unique techniques that are not in the public release. These will be made available as soon as we decide our strategy with regard to the product development.

3. Open-source – quoting from our FAQ:

“If it wasn't for the community and sites like rootkit.com, the following statements would be true:

1. The antivirus companies would be far behind with this technology
2. The hacker underground would be even further ahead with this technology
3. The antivirus companies would be happy because we wouldn't know what they're not catching.
We could not have built Helios without the help of this community of brilliant people.”

There is a definite roadmap to open-sourcing parts of the product. We believe firmly that you can only use a security product when you can see what happens under the hood

4. Detection - We know there are techniques out there that we have not dealt with in the alpha. If you point us to something we don't detect, we'll try and get it in. Rootkit technology is an extremely vast area, there's lots of ground to cover.

5. Inoculation - Once again from the whitepaper - we agree that if code actually does execute, it's game-over! Detection is a less-desirable condition. If you are able to get your code into the kernel while Helios' inoculation features are turned on, we'd be concerned. :) If a kit is installed before security software, it has a free reign over the system. Our energies are being spent trying to prevent this from happening.

6. Features - Background scanning in our opinion is critical. There is no point having to run a tool AFTER the damage has been done (see point 5). We believe this is a significant advantage over on-demand scanners. We also have application integrity (which we haven't seen in other public tools) , inoculation features for NTFS ADS, physical memory blocking, driver loading protection, file & folder access control. We added these features because we felt they were missing in other tools.

Summing up - Once we get the APIs into a decent shape, you can add rootkit detection to ANY product you want (HIDS / HIPS / AV / etc). This ability should benefit the security community as a whole. We built this for the community and will make every possible effort to incorporate the features you want.

Check back often, we will be updating regularly.

Diggin'

Looks like someone was kind enough to submit us to Digg.

If you like what you see, Digg us!

Helios Videos

These videos will demonstrate the features of Helios and pit them against both the latest malware and anti-virus products. If you have any questions about the videos, we'd be happy to answer them.

You can choose either to stream the videos or download them for viewing offline (the downloadable files are also smaller):

Detecting processes hidden using function hooks

In this video we demonstrate the detection and removal of kernel level function hooks.

[stream] [download]

Detecting processes hidden using FuTo (handle table DKOM)

Thread level detection of processes hidden using the advanced FuTo rootkit

[stream] [download]

Helios v/s Antivirus against an undetectable FuTo

A video comparing Helios to popular antivirus products and showing the advantages of behavioral analysis over signature based analysis

[stream] [download]

Helios' Inoculation Features v/s Malware

A video demonstrating one of Helios' inoculation features to prevent rootkits from installing.

[stream] [download]

The Helios Application Protection feature (email stealing)

Demonstrates Helios' application integrity checking against an email interception rootkit.

[stream] [download]

Helios' inoculation features

An overview of Helios' powerful inoculation components that prevent rootkit installation.

[stream] [download]

Helios detecting detour function hooks (in-line hooking)

The detection and removal of in-line function hooks used by modern rootkits.

[stream] [download]

Note: If you choose to download the videos, you will need an SWF player to view them.

As more videos are completed, links will be created here so check back often to see new features in action.

Download Helios

The public version of Helios and Helios Lite are now available for download. We recommend that you download and use Helios Lite as it contains significantly enhanced detection features. These features will soon be incorporated into the complete Helios package.

The recommended minimum requirements are:

• Windows XP Service Pack 2
• 512 MB RAM. (256 MB for Helios Lite)
  
• 1 Ghz or higher processor (no requirement for Helios Lite)
  

Helios requires Microsoft .Net Framework 2.0 to be installed. Helios Lite does not need to be installed it can just be run by double clicking the executable file.

By downloading Helios you agree to the following agreement:

Software downloaded from MIEL e-Security's web site is provided 'as is' without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of fitness for a purpose, or the warranty of non-infringement. Without limiting the foregoing, MIEL e-Security makes no warranty that:

1. the software will meet your requirements
2. the software will be uninterrupted, timely, secure or error-free
3. the results that may be obtained from the use of the software will be effective, accurate or reliable
4. the quality of the software will meet your expectations
5. any errors in the software obtained from MIEL e-Security web site will be corrected.

Software and its documentation made available on MIEL e-Security's web site:

6. could include technical or other mistakes, inaccuracies or typographical errors. MIEL e-Security may make changes to the software or documentation made available on its web site.
7. may be out of date, and MIEL e-Security makes no commitment to update such materials.

MIEL e-Security assumes no responsibility for errors or ommissions in the software or documentation available from its web site.

In no event shall MIEL e-Security be liable to you or any third parties for any special, punitive, incidental, indirect or consequential damages of any kind, or any damages whatsoever, including, without limitation, those resulting from loss of use, data or profits, whether or not MIEL e-Security has been advised of the possibility of such damages, and on any theory of liability, arising out of or in connection with the use of this software.

The use of the software downloaded through the MIEL e-Security site is done at your own discretion and risk and with agreement that you will be solely responsible for any damage to your computer system or loss of data that results from such activities. No advice or information, whether oral or written, obtained by you from MIEL e-Security or from MIEL e-Security's web site shall create any warranty for the software.

The latest version of Helios can always be found at the following URL:
http://helios.miel-labs.org/downloads/Helios.zip

The latest version of Helios Lite can always be found at the following URL:
http://helios.miel-labs.com/downloads/Helios-Lite.zip


Looking forward to your feedback

The Helios FAQ

1) What is Helios?

Helios is a patent-pending advanced malware detection system. This downloadable version is a technology preview, however it is under development to becoming a complete enterprise level solution to managing malware. This includes centralized monitoring, system snapshots etc.

Helios has been designed to detect, remove and innoculate against modern rootkits. What makes it different from conventional antivirus / antispyware products is that it does not rely on a database of known signatures. We believe that malware, by definition, has to perform malicious actions on your system. By observing which software performs malicious behaviour, you can better detect malware. Thus Helios uses a 'behavioural' analysis engine as opposed to signatures. The upside to this is that we can catch malware that is 'unknown' in the wild, or for which signature based products do not have a signature definition.

2) Who is this meant for?
Since legitimate software can use techniques that might be considered malicious, we opted not to decide for you what is malware, and what isn't. Thus, Helios requires that you exercise a certain degree of discretion to decide between legitimate software and malware. This doesn't mean it’s hard to use, any power user can have a look at the manual and use it extremely effectively.

It's also worth noting that Helios is a technology preview. While it is extensively tested and stable, we don't recommend you run a tech preview on the production servers that keep your company in business.

3) Does Helios catch XYZ malware, spyware etc?
We don't know! Since we do behavioural analysis, we don't write signatures for any malware. However, if the malware exhibits the behaviours of modern rootkits, we will pick it up. That said, we have expressly not focused on browser-toolbars, dialers and the other crud that is adequately handled by todays antivirus products.

Helios was designed to operate in tandem with your other security products, not replace them.
We will protect you from the latest and greatest techniques in the stealth malware world.

4) Who are you guys?
We're a group of techies that love doing cool stuff with computer security and code. Penetration testing and application security quickly loses its technical challenge, so research is a good way to keep evil minds occupied. Helios is the result of alot of brainstorming and saying "I wish someone would do XYZ to enhance host security", after doing this for awhile, we decided to step up and try doing it ourselves. We also do research on bluetooth and 802.11 security among other things.

5) Why do you misuse the word rootkits for what are actually (insert stealthkits, invisiware, chinese gongs here)?
We don't like this supposed purist argument and have had numerous debates with well informed people about what to actually call this class of malware. Our take on the whole thing is that the popular usage of words defines their meaning, if the world refers to this class of software as rootkits, then rootkits they are. To quote the PacketStorm T-shirt - "Evolve or die". Our advice to the 'purists' is that their time would be better spent putting research and code into the community than quibbling over etymology.

6) Is Helios open-source?
At present, no. However we have designed API's to tap the core functionality of the product. We want people to extend the capabilities of the technology. More on these API's at a later stage.

Helios is however completely free (as in beer). You can download it and use it without giving us your personal information, selling your soul or paying to unlock key features.

7) Is Helios spyware?
Nope. Absolutely not.
Obviously, trust is a big thing when you execute code from the Internet. We are expressly stating that Helios does not collect any information or do anything malicious with your system.

We're a reputed information security company founded on strong ethics and values.

If this is not enough for you, our names are in our whitepaper. If you feel we wronged you, feel free to come down to have a chat with us. We're also extremely open about the inner-workings of the product, so you can drop us an email with your queries and we will respond.

8) Does the open-source community contribute to the rise of rootkits?
We snuck this one into our FAQ because it really annoys us. Let's make it quite clear, if it wasn't for the community and sites like rootkit.com, the following statements would be true:

1. The antivirus companies would be far behind with this technology
2. The hacker underground would be even further ahead with this technology
3. The antivirus companies would be happy because we wouldn't know what they're not catching.

We could not have built Helios without the help of this community of brilliant people. Helios is what we're giving back to them, and we sincerely hope our whitepaper will become an authoritative resource on offensive and defensive rootkit technology, rather like the 'cryptonomicon' in Neil Stephenson's book by the same name.

9) Help! Helios is telling me something is wrong, what do I do?
Well, the first thing you need to do is figure out whether it's a legitimate program showing traces of malicious behaviour. A look through the (we think) comprehensive manual should help you get started with this.

As always, Google is your friend. Sometimes just looking up a process or module name can go a long way. Be aware that some security products like antiviruses / firewalls may hook system calls. It shouldn't be too difficult to trace the hook back to its source using Helios' features.

10) Why haven't you checked for rootkits that use quad-core, interrupt-trapping inline hyperion hooks to take over the world?
3 words, work in progress. We're constantly adding new behaviours and detection tricks. This is half the fun of developing Helios -- outsmarting the other guy. If you do have a new technique or idea, we'd love to hear about it, add it to the whitepaper / product and give you the appropriate credit. Ideas illustrated in code go down far better with us, so if you have source - show us! And yes, we're working on those hyperion hooks ;).