Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Research Warn About VM-Based Rootkits

Posted by ryuzaki0 on from the why-would-you-prove-that-concept? dept.

Tenacious Hack writes "According to a story on eWeek, lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and maintaining control of a target OS. The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation. Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system."

4 of 336 comments (clear)

  1. translation by Anonymous Coward · · Score: 5, Insightful

    You can only be secure if your run hardware with treacherous computing modules installed on the motherboard and in the "approved" CPUs and BIOS chips, and that only works with treacherous computing software, sort of expensive hand in designer glove..

    Kind of a sneaky advertisement, isn't it? Instill terror to sell vendor lockin hardware and operating systems. Maybe even get a law or three passed. They sort of gloss over the "get the rootkit there in the first place" part, don't they?

  2. Re:Why is microsoft researching this? by TheWanderingHermit · · Score: 5, Insightful

    That was my first thought: why is MS researching this? Pure research like this and MS just do not go together.

    Honestly, this sounds like the kind of thing they'll think of so they can use it as a reason that all computers should have DRM build into the chipset, which plays right into MS being able to justify why all systems should follow their boot rules that allow only Vista to run. It's just laying the groundwork to force the exclusion of anything but Vista being able to be booted on future systems.

    This is also the kind of thing that I don't think many black hats would have come up with on their own due to the amount of research. MS continaully says it is irresponsible for people to publish info on exploits in Winodws before they can patch them, yet they've just gone and published what could be one of the nastiest exploits of any OS to date. If they're doing this, it's for a reason, and experience tells us MS's reasons are good for them and bad for everyone else.

  3. Just one problem: by guruevi · · Score: 5, Insightful

    How do you install the rootkit? Yes, you guessed it, through an insecure operating system. This article is imho just another promotion FUD campaign for TCPA.

    If your current operating system and security measures are good enough, such rootkits-with-virtual-machines are not even going to be able to be installed, heck as long as you don't have to login as administrator to print out a document or surf the web, you're pretty safe.

    And as soon as you notice your box could be r00t3d, you take it out anyway and don't trust it. And if you don't notice one of your boxes is generating extra traffic or doing things it shouldn't, you shouldn't have to have admin privileges anyway.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  4. Re:Why is microsoft researching this? by arrrrg · · Score: 5, Insightful

    Pure research like this and MS just do not go together.

    Ummmm ... I'm as fanatical as the next /.er, but come on. Microsoft has plenty of legitimate theoretical research projects going on, just look at research.microsoft.com. And an issue like this one is obviously relevant to them, if they want to get their act together and improve security (or at least the appearence thereof).