Rutkowska: "Anti-Virus Software Is Ineffective"
Linked by Thom Holwerda on Thu 2nd Nov 2006 18:38 UTC, submitted by grfgguvf
Privacy, Security, Encryption Earlier this year, stealth malware researcher Joanna Rutkowska created a stir at the Black Hat Briefings when she demonstrated a way to infect Windows Vista with a rootkit and introduced Blue Pill, a new concept that uses AMD's SVM/Pacifica virtualization technology to create '100 percent undetectable malware'. In this interview with eWEEK senior editor Ryan Naraine, Rutkowska talks about her interest in computer security, the reality of stealth malware threats, the risks associated with hardware virtualization and why the anti-virus industry comes up short.
E-mail Print r 4   12 Comment(s) http://osne.ws/cmu
Order by: Score:
Add Comment Post a Comment
OSNews needs tagging
by Tweek on Thu 2nd Nov 2006 19:16 UTC
Tweek
Member since:
2006-01-12

Obvious

Reply Score: 4

RE: OSNews needs tagging
by DittoBox on Fri 3rd Nov 2006 01:20 UTC in reply to "OSNews needs tagging"
DittoBox Member since:
2005-07-08

Or as I've seen on some of the new slashdot articles that have been tagged "noshit."

Reply Score: 1

It's a bad headline
by JoeBuck on Thu 2nd Nov 2006 20:09 UTC
JoeBuck
Member since:
2006-01-11

Tweek, you're responding to the headline, which does not reflect the article content: while she does say that anti-virus software is ineffective, it mainly discusses attacks based on moving the running OS into a virtual machine, and installing the malware as the hypervisor, which is a really neat trick.

Reply Score: 4

RE: It's a bad headline
by sbenitezb on Thu 2nd Nov 2006 20:29 UTC in reply to "It's a bad headline"
sbenitezb Member since:
2005-07-22

So the headline is wrong. Headlines are used to reflect the primary content of the article. If you use it only to attract readers, then you are being (put the word that best suits the attitude).

Edited 2006-11-02 20:30

Reply Score: 3

RE[2]: It's a bad headline
by Thom_Holwerda on Thu 2nd Nov 2006 20:36 UTC in reply to "RE: It's a bad headline"
Thom_Holwerda Member since:
2005-06-29

With interviews, the headline often reflects the most interesting bit what the person in question has said. Hence, the headline is perfectly fine.

Basic journalism, really.

Edited 2006-11-02 20:37

Reply Score: 1

RE: It's a bad headline
by andrewg on Thu 2nd Nov 2006 20:38 UTC in reply to "It's a bad headline"
andrewg Member since:
2005-07-06

But practically impossible and definitely always discoverable according to the Xen hacker. Seems that AMD has designed its virtualisation to make discovery of this sort of thing easy.

He states, "I wouldn't lose a bit of sleep over this particular threat. I don't feel there is any new risk here at all."

Also it is interesting that the technology built into AMD virtualisation technology allows for "attestation" which could make anti-virus software a thing of the past. The idea is that you can detect at any point in time whether software is running that should not be running.

He states, "Currently, anti-malware software has to look specifically for known threats. Attestation lets you do something much stronger. Attestation allows you to validate that there is no unknown threats.
Imagine anti-virus software that doesn't need to be updated--ever. With attestation, there is no such thing as zero-day threats."

Seems to me that the new technology AMD is bundling is making secure systems proveable rather than allowing things to run hidden without permission.

Reply Score: 1

_GetClue
by hylas on Thu 2nd Nov 2006 20:40 UTC
hylas
Member since:
2005-07-10

This is what I'm talking about.

This type of technique is in the wild, I've run in to it twice now ... on Macintoshes.
Yes, you read right.
In '97 on a 68k (Quadra), using "inits", and last year, '05 on Xserves and G4s, G5s, using raw disk access and OpenFirmware, and "inits" from Classic.
It gives "owned" an all together new meaning, it fights back. I've, at times resorted to screenshots with an external camera.
(Nothing like a _KillPicture in your picts to bounce you in to MacsBug)
It is all about (hardware) disks, disk drivers and ports, but not the way you think of them.

For the last 12 months now people have told me "that's impossible", and I show them the print outs, the evidence, the theory/facts (that Ms. Rutkowska just illustrated, rather expertly). The archived disks I have (SCSI, IDE etc.) have, buried in "bad boot blocks" microcode, networking commands and the such.

I've been through the wringer with ... (name) experts, telling me how "absolutely impossible" this is to implement. Covering their asses just long enough to say "if ... please call me", "well, then you'll be vindicated".
I'm not a hardware programmer, but I'm in over my head and know it, but not so much as to see what is obvious.
Why is this so far off the radar?
Denial.
I won't get in to a pissing match here.
(clueless users and their cheap shots usually follow).
I mean, really, last year if some people read this interview (with a GIRL, no less) the name calling would be unbelievable.

See:
An Open Challenge to David Maynor and Jon Ellch

http://daringfireball.net/2006/09/open_challenge

Yeah, they're faking this, they'll pull the wool over everyones eyes and they use 1337 cracker names, so they can prof ... oh, wait.
That's their real names?

H D Moore

http://kernelfun.blogspot.com/2006/11/mokb-starts-mokb-01-11-2006-a...

Ain't hardware great?

I'm just putting this out so folks will look a bit closer and I might get some help, maybe flush out someone else.
Yeah, I NEED this kind of attention.
I got nothing to sell.

I want an expert discussion (not here), with a real expert.

Neat trick?
O-M-G

Ask yourself what the ramifications are (now).

ring0 / EFI

Further:

http://developers.slashdot.org/comments.pl?sid=204213&cid=16690789

_GetClue

hylas

Reply Score: 5

RE: _GetClue
by smitty_one_each on Thu 2nd Nov 2006 20:54 UTC in reply to "_GetClue"
smitty_one_each Member since:
2005-07-07

You don't speculate on evil spirits compiled into the BIOS or whatever they're calling Palladium this week.
Picking up on the metaphor of your first link, computing is better when it resembles chess, as opposed to poker--you could be the pokee.

Reply Score: 1

devtty
Member since:
2006-04-02

In a sense, AV software is making money by using people's fear - sort of like blackmail/extortion

It is also like religions

Reply Score: 2

Regardless.....
by Phloptical on Thu 2nd Nov 2006 22:19 UTC
Phloptical
Member since:
2006-10-10

With virtualization becoming more and more popular I'm sure the AV vendors will find ways of protecting against this type of hack too. Isn't that why conferences like Black Hat even exists? To pick up where the AV guys have left off, for whatever reasons?

Reply Score: 1

RE: Regardless.....
by netpython on Fri 3rd Nov 2006 06:37 UTC in reply to "Regardless....."
netpython Member since:
2005-07-06

To pick up where the AV guys have left off, for whatever reasons?

And you think they tell you everything at those meetings.

Reply Score: 1

RE[2]: Regardless.....
by Phloptical on Fri 3rd Nov 2006 23:28 UTC in reply to "RE: Regardless....."
Phloptical Member since:
2006-10-10

....guess that argument can be made for both parties, for that matter.

I tend not to believe everything I read either....but that's me.

Reply Score: 1

Add Comment Post a Comment