Microsoft Research Warn About VM-Based Rootkits

← Back to Stories (view on slashdot.org)

Microsoft Research Warn About VM-Based Rootkits

Posted by ryuzaki0 on Friday March 10, 2006 @01:56PM from the why-would-you-prove-that-concept? dept.

Tenacious Hack writes "According to a story on eWeek, lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and maintaining control of a target OS. The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation. Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system."

13 of 336 comments (clear)

Min score:

Reason:

Sort:

I say we take off... by LiquidCoooled · 2006-03-10 13:57 · Score: 5, Funny

...and nuke the entire site from orbit.
It's the only way to be sure.

Everything I know about rootkits tells me that you cannot detect one from within the running system, you have to be objective (I consider the current fingerprint detection to be working because of bugs in the rootkit implimentation, these will be "fixed" over time).

Keep a known secure boot CD.

Drain the battery and reset the bios then boot from that cd.
If theres anything sophisticated enough to bypass this level of paranoia then it can damn well have my credit card number and I'll gladly send spam for them.

--
liqbase :: faster than paper
1. Re:I say we take off... by wormeyman · 2006-03-10 14:25 · Score: 2, Funny
  
  send it to me sir i am of nigerian royalty
2. Re:I say we take off... by Dunbal · 2006-03-10 14:34 · Score: 5, Funny
  
  Oh fuck me - the next step is a VM rootkit that flashes the bios to keep a VM rootkit.
  
  Just remind me when was Skynet supposed to become sentient again?
  
  --
  Seven puppies were harmed during the making of this post.
3. Re:I say we take off... by el+americano · 2006-03-10 21:10 · Score: 4, Funny
  
  "In order to enable this chat toolbar you need to move this jumper from position A to position B. Here's a photo of what it looks like. The factory incorrectly installed this, and it limits the ability of your video card to get full 3D resolution. You don't have to turn off the computer, and it will allow you to run this really cool software. All your myspace friends will love it."
  
  --
  Those are my principles. If you don't like them I have others. -Groucho Marx
The one thing I hate about Microsoft products... by __aaclcg7560 · 2006-03-10 14:03 · Score: 5, Funny

You never sure if this is a feature or a bug. Either way, they will probably charge a subbscription fee to get the feature or get rid of the bug.
i've found a way to defeat this by circletimessquare · 2006-03-10 14:15 · Score: 3, Funny

i've been working on a compromised system to poke for holes in the concept and i hit upon a novel idea. in fact, it's really simple

all you have to do is-END CARRIER-

--
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Am I the only one here who saw... by MikeRT · 2006-03-10 14:24 · Score: 4, Funny

an image of an idiot user taking their computer to a repair shop and the repair person uncovering 500 instances of VMWare running with 1 instance of spyware in each one?
Which is why I like OpenBSD! by martinultima · 2006-03-10 14:45 · Score: 1, Funny

Microsoft Techie #1: How are we going to get this to work?? Hmm, maybe we can stick this virtual machine monitor here, and then we can trick the highly technical, security-conscious guys who would use the system into giving us root access so we could put it before kernel secure mode is initiated?

Microsoft Techie #2: Nah, too complicated. Let's just wait until the next default security hole...

--
Creative misinterpretation is your friend.
Microsoft start to support linux? by sql_noob · 2006-03-10 14:59 · Score: 2, Funny

Microsoft start to SUPPORT linux? And start off with a rootkit prototype?

Man, that is how a friend should be.
The obvious solution is... Windows VISTA! by Seraphnote · 2006-03-10 15:40 · Score: 3, Funny

The obvious solution is... Windows VISTA!
Heck the OS is so large any VMBR trying to "hoist" it is going to probably:
A.) Run out of space (memory or HDD).
B.) Take so long to hoist the OS, the user will probably reboot thinking their machine's locked up again.
C.) Cause CowboyNeal to acquire a hernia.

They (MS) are probably just looking for more selling points for their new BIG baby.
Re:selling Trusted Computing / TPM by kurzweilfreak · 2006-03-10 15:43 · Score: 2, Funny

Really pisses them off when they go to the theater and then find out they don't own it after paying money, or not being able to take the elephants home from the circus!

--
kurzweil_freak
5th Kyu Genbukan Ninpo/KJJR student
Be the darkness that allows the light to shine.
Re:Multiple Strains by Linker3000 · 2006-03-10 21:42 · Score: 3, Funny

You would soon know if you were running multiple Windows Virtual Machines because within minutes of the infection you would receive an email from Microsoft demanding you pay for the additional licences.

--
AT&ROFLMAO
*sigh* Oh, sure.... by Trelane · 2006-03-11 04:26 · Score: 2, Funny

The one time Microsoft ports some of their software to Linux, and it's a rootkit. ;)

--

--
Given enough personal experience, all stereotypes are shallow.