Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Research Warn About VM-Based Rootkits

Posted by ryuzaki0 on from the why-would-you-prove-that-concept? dept.

Tenacious Hack writes "According to a story on eWeek, lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and maintaining control of a target OS. The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation. Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system."

10 of 336 comments (clear)

  1. I say we take off... by LiquidCoooled · · Score: 5, Funny

    ...and nuke the entire site from orbit.
    It's the only way to be sure.

    Everything I know about rootkits tells me that you cannot detect one from within the running system, you have to be objective (I consider the current fingerprint detection to be working because of bugs in the rootkit implimentation, these will be "fixed" over time).

    Keep a known secure boot CD.

    Drain the battery and reset the bios then boot from that cd.
    If theres anything sophisticated enough to bypass this level of paranoia then it can damn well have my credit card number and I'll gladly send spam for them.

    --
    liqbase :: faster than paper
    1. Re:I say we take off... by LiquidCoooled · · Score: 5, Informative

      The last motherboard I had was a gigabyte. It contained a Dual Bios system which could recover a user flashed bios back to factory defaults.
      Complete and utter safety in case of a bad flash.
      Heres a small THG article about it.

      You are right about most machines however, it may not be enough unless you can replace the bios.
      For the totally paranoid, take the suspect drive out and put it into a cleanroom machine.

      --
      liqbase :: faster than paper
    2. Re:I say we take off... by Dunbal · · Score: 5, Funny

      Oh fuck me - the next step is a VM rootkit that flashes the bios to keep a VM rootkit.

            Just remind me when was Skynet supposed to become sentient again?

      --
      Seven puppies were harmed during the making of this post.
  2. The one thing I hate about Microsoft products... by __aaclcg7560 · · Score: 5, Funny

    You never sure if this is a feature or a bug. Either way, they will probably charge a subbscription fee to get the feature or get rid of the bug.

  3. translation by Anonymous Coward · · Score: 5, Insightful

    You can only be secure if your run hardware with treacherous computing modules installed on the motherboard and in the "approved" CPUs and BIOS chips, and that only works with treacherous computing software, sort of expensive hand in designer glove..

    Kind of a sneaky advertisement, isn't it? Instill terror to sell vendor lockin hardware and operating systems. Maybe even get a law or three passed. They sort of gloss over the "get the rootkit there in the first place" part, don't they?

  4. Re:Why is microsoft researching this? by TheWanderingHermit · · Score: 5, Insightful

    That was my first thought: why is MS researching this? Pure research like this and MS just do not go together.

    Honestly, this sounds like the kind of thing they'll think of so they can use it as a reason that all computers should have DRM build into the chipset, which plays right into MS being able to justify why all systems should follow their boot rules that allow only Vista to run. It's just laying the groundwork to force the exclusion of anything but Vista being able to be booted on future systems.

    This is also the kind of thing that I don't think many black hats would have come up with on their own due to the amount of research. MS continaully says it is irresponsible for people to publish info on exploits in Winodws before they can patch them, yet they've just gone and published what could be one of the nastiest exploits of any OS to date. If they're doing this, it's for a reason, and experience tells us MS's reasons are good for them and bad for everyone else.

  5. Just one problem: by guruevi · · Score: 5, Insightful

    How do you install the rootkit? Yes, you guessed it, through an insecure operating system. This article is imho just another promotion FUD campaign for TCPA.

    If your current operating system and security measures are good enough, such rootkits-with-virtual-machines are not even going to be able to be installed, heck as long as you don't have to login as administrator to print out a document or surf the web, you're pretty safe.

    And as soon as you notice your box could be r00t3d, you take it out anyway and don't trust it. And if you don't notice one of your boxes is generating extra traffic or doing things it shouldn't, you shouldn't have to have admin privileges anyway.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  6. Automated BIOS flashing considered harmful. by Anonymous Coward · · Score: 5, Interesting

    My roommate runs a PC repair biz. I've noticed those dual-BIOS mobos. Always felt weird to me. If they want to make sure you have a good BIOS at all times, isn't it cheaper to install ONE bios socket, and send you two chips? Then you'll only swap if you really need to. And the "clean" chip is guaranteed clean because it can't be tampered with when it's not in the computer.

    In any event, programs being able to flash your BIOS without telling you about it is A Very Bad Thing(TM). Disabling BIOS writes except when booted from a floppy would be a start. But at a very bare *minimum*, when the BIOS is modified by anyone or anything, the next time you boot the machine, the BIOS boot routine should throw a warning up on the screen:

    "Your BIOS has been modified since last reboot. If you have not intentionally changed your BIOS, or added new hardware, you should discard these changes. Discard changes? (Y/n)"

    And the code that performs this check, and throws up the error message, should be in a ROM or OTP chip where software can't tamper with it.

  7. Stephen R. Donaldson of all people. by frogstar_robot · · Score: 5, Interesting

    Stephen R. Donaldson wrote the "Gap Series". At one part of the story, the "Data First" of a pirate vessel put a virus in the firmware of one of the pieces of hardware controlling the ship. Even if the ship's computer was reloaded from known good stores, the virus would re-infect the computer. The virus was rigged to totally wipe the ship's computers if a password wasn't entered at specified intervals. Since you couldn't navigate or operate equipment without the computers, this was effective extortion. Billions of miles from home, there was simply no getting back without functional computers.

    The cure was to install known good hardware (itself tricky considering the circumstances) and to reload the ship's computer. The story also featured a kind of WORM device called a "datacore" that every ship had to carry by law. It was a combination flight-recorder and criminal evidence accumulator. Come to think of it, many IT issues were dealt with pretty well in this series. It's worth checking out. The IT issues are essential in certain parts of the story but they aren't the main point.

  8. Re:Why is microsoft researching this? by arrrrg · · Score: 5, Insightful

    Pure research like this and MS just do not go together.

    Ummmm ... I'm as fanatical as the next /.er, but come on. Microsoft has plenty of legitimate theoretical research projects going on, just look at research.microsoft.com. And an issue like this one is obviously relevant to them, if they want to get their act together and improve security (or at least the appearence thereof).