Linked by Thom Holwerda on Sat 11th Mar 2006 21:24 UTC
Privacy, Security, Encryption Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system. The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation. Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system.
Thread beginning with comment 103667
To read all comments associated with this story, please click here.
no much of a threat
by TechGeek on Sun 12th Mar 2006 17:33 UTC
TechGeek
Member since:
2006-01-14

OK, this sounds like a bug deal, but think about this. The rootkit is going to have to have drivers for all the target hardware. Otherwise something isnt going to work right and then you are going to figure out that you have a rootkit. The whole point of a rootkit is to be stealthy, but who here wouldnt notice pretty quick if your sound started acting funny or you didnt have 3d acceleration anymore? Not to mention firewire and usb2 support. I mean, these things dont quite work perfectly in VMware, and you pay for that. Chances of a rootkit getting everything to work without the user noticing: zero.

Reply Score: 1

RE: no much of a threat
by Mark Williamson on Sun 12th Mar 2006 17:41 in reply to "no much of a threat"
Mark Williamson Member since:
2005-07-06

(nb. haven't read the article / paper yet).

Well, a "virtual machine" doesn't necessarily have to emulate all the hardware for your system. To hide itself, all a rootkit needs to do is to stash itself in memory somewhere that the CPU can't get too...

If the rootkit can "lift" the OS onto a "fake" memory system, so that it can't access all of memory, then it's impossible for the OS to see the rootkit's code. The OS could still access all it's devices *directly*, so it wouldn't notice any difference from its normal hardware.

Reply Parent Score: 1

RE: no much of a threat
by Ronald Vos on Sun 12th Mar 2006 18:28 in reply to "no much of a threat"
Ronald Vos Member since:
2005-07-06

Remember that the Sony rootkit didn't have drivers for every piece of hardware it could conceivably run on. That would be insane for anyone but a dominant OS vendor. Instead, the Sony RK merely embedded itself into the Windows kernel in a way, so that it wouldn't be easily detectable. A RK doesn't need to take over all the hooks into the OS, it merely needs to be able to intercept certain communications to the kernel, and be hidden.

Reply Parent Score: 1