Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Research Warn About VM-Based Rootkits

Posted by ryuzaki0 on from the why-would-you-prove-that-concept? dept.

Tenacious Hack writes "According to a story on eWeek, lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and maintaining control of a target OS. The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation. Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system."

3 of 336 comments (clear)

  1. Original Paper (i.e., karma whoring) by perlionex · · Score: 4, Informative

    Original Paper

    Abstract

    Attackers and defenders of computer systems both strive to gain complete control over the system. To maximize their control, both attackers and defenders have migrated to low-level, operating system code. In this paper, we assume the perspective of the attacker, who is trying to run malicious software and avoid detection. By assuming this perspective, we hope to help defenders understand and defend against the threat posed by a new class of rootkits.

    We evaluate a new type of malicious software that gains qualitatively more control over a system. This new type of malware, which we call a virtual-machine based rootkit (VMBR), installs a virtual-machine monitor underneath an existing operating system and hoists the original operating system into a virtual machine. Virtual-machine based rootkits are hard to detect and remove because their state cannot be accessed by software running in the target system. Further, VMBRs support general-purpose malicious services by allowing such services to run in a separate operating system that is protected from the target system. We evaluate this new threat by implementing two proof-of-concept VMBRs. We use our proof-of-concept VMBRs to subvert Windows XP and Linux target systems, and we implement four example malicious services using the VMBR platform. Last, we use what we learn from our proof-of-concept VMBRs to explore ways to defend against this new threat. We discuss possible ways to detect and prevent VMBRs, and we implement a defense strategy suitable for protecting systems against this threat.

    --
    Gan Family Homepage
  2. Re:I say we take off... by LiquidCoooled · · Score: 5, Informative

    The last motherboard I had was a gigabyte. It contained a Dual Bios system which could recover a user flashed bios back to factory defaults.
    Complete and utter safety in case of a bad flash.
    Heres a small THG article about it.

    You are right about most machines however, it may not be enough unless you can replace the bios.
    For the totally paranoid, take the suspect drive out and put it into a cleanroom machine.

    --
    liqbase :: faster than paper
  3. Re:I say we take off... by Bacon+Bits · · Score: 4, Informative
    If theres anything sophisticated enough to bypass this level of paranoia then it can damn well have my credit card number and I'll gladly send spam for them.
    The payload for the Chernobyl virus wrote zeros to sector 0 of your hard drive (which generally contians partition table information) and also tried to write garbage to any present Flash BIOS. You had to have a manual EEPROM reprogram to recover a so damaged BIOS.

    However, this virus dates back to the innocent days where a virus would just destroy your data or computer, rather than steal your information for profit or turn your PC into another node in some botnet collective.

    --
    The road to tyranny has always been paved with claims of necessity.