Slashdot Mirror

← Back to Stories (view on slashdot.org)

Undetectable Rootkits Through Virtualization?

Posted by ryuzaki0 on from the two-rooted-plants-die dept.

techmuse writes "eWeek has an article about a prototype rootkit that is implemented using a virtual machine hypervisor running on top of AMD's Pacifica virtualization implementation. The idea is that the target OS, or software running on it, would not be able to detect the rootkit, because the OS would be running virtualized on top of the rootkit. The prototype is supposed to be demonstrated at the Syscan conference and the Black Hat Briefings over the next month."

9 of 237 comments (clear)

  1. Before people start the Windows flamefest by Anonymous Coward · · Score: 4, Informative


    fta:
    Rutkowska stressed that the Blue Pill technology does not rely on any bug of the underlying operating system. "I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform," she added.

    1. Re:Before people start the Windows flamefest by LiquidCoooled · · Score: 2, Informative

      WTF are you on about, this rides BELOW the operating system.

      It has no feasible way of detecting this because the host OS runs exacly as it did before completely oblivious that its not sitting on raw hardware.

      There is no spoon.

      --
      liqbase :: faster than paper
    2. Re:Before people start the Windows flamefest by dextromulous · · Score: 2, Informative
      You would have to be rather closed-minded to think a rootkit would apply only to Windows. From wikipedia:
      The term "rootkit" (also written as "root kit") originally referred to a set of recompiled Unix tools such as "ps", "netstat", "w" and "passwd" that would carefully hide any trace of the intruder that those commands would normally display, thus allowing the intruders to maintain "root" on the system without the system administrator even seeing them.

      Generally now the term is not restricted to Unix-based operating systems, as tools that perform a similar set of tasks now exist for non-Unix operating systems such as Microsoft Windows (even though such operating systems may not have a "root" account).
      --
      There are two types of people in the world: those who divide people into two types and those who don't.
  2. Motherboards already block this... by Manip · · Score: 4, Informative

    Some, albeit high end, motherboards support a visual warning message that alerts the user to a program, or the OS trying to modify the boot sector on the hard disk. If you had this enabled it would stop this rootkit dead in its tracks. It's just a shame that more bioses / motherboards don't offer this support by default.

    If you have this on your motherboard I highly recommend you turn it on, it isn't too often that you reinstall the OS and pressing F9 isn't that much of an inconvenience even if you did it once a day.

    PS - All of the "My favorite OS is secure" posts below this are wrong if the Operating System supports some type of driver, or root program (running in the kernels memory space).

    1. Re:Motherboards already block this... by SillyNickName4me · · Score: 4, Informative

      Hmm.. I have quite a pile of system boards here, dating from old 486 systems upto p4 and athlon xp, with ami, award, phoenix and biosses, and all of them have the boot sector virus protection option (tho sometimes just called virus protection).

      This offers at best a partial protection. While the MBR is important, the actual boot is done from the partition boot record, mot the master boot record, and this badly named feature is not going to help against that. Why badly named? because it does monitor (attempted) changes to the bootrecord and doesn't know anything about viruses.

      Next. even if you could protect against that, things just get a bit more OS and possibly OS version dependent because you have to move to the file that gets loaded by the partition bootrecord.

      Oh, quite a few 'boot managers' change the mbr on every boot.

      So while it offers some protection, that protection is extremely limited, and can be quite inconvenient.

  3. Re:the side effects are detactable by Anonymous Coward · · Score: 1, Informative

    If I can see the actual hardware for the video card than I can detect the trojan by DMA. If I get cleaver enough, I just might be able to remove it.

    Besides, wouldn't I see it by machine total RAM shrinking?

  4. Bah, humbug! by davecb · · Score: 3, Informative

    Exactly the same thing was done using the ancient "cookie monster" program on Multics, long before Unix was even a gleam in T&R's eye.

    The perpetrator created a user-ring instance of a user (a virtual-machine-like process), loaded in the cookie mosnter, then loaded the command interpreter and handed the result to an unsuspecting user, my boss.

    He searchrd high and low, never suspecting the program that kept saying "Want cookie!" was down below the shell.

    --dave

    --
    davecb@spamcop.net
  5. Re:The only defense by Charan · · Score: 2, Informative

    All those utilities people pay so much for are worthless! They only detect the known malware, but nobody knows about the undetected hacks.

    One area of active reasearch in intrusion detection looks at detecting malware by examining the behavior of applications. The behavior patterns (network connections, system calls, file accesses, etc.) of a program can be compared against a list of known-bad actions. If a program acts like malware, it's malware, regardless of how what vulnerability (known or unknown) compromised it.

    Also, it is possible for some programs to detect when a specific vulnerability is triggered and take preventative action. This will stop previously-unseen exploits from using an established vulnerability to compromise a system. Still, the vulnerability must be discovered first for this to work.

    An technique called anomaly detection seeks to get around this limitation by building a profile of "normal" behavior for a program and flagging any deviant behavior. This still can't catch all malware, since the malware could have the infected application act within its normal boundaries, but it does severely limit what malware can do with a hijacked process. Hopefully, the malware is limited enough that it can't really harm the system.

  6. Pacifica doesn't emulate hardware by Nurgled · · Score: 2, Informative

    The goal of the Pacifica technology is to do the virtualization in the hardware to avoid the need to emulate devices. Microsoft's Virtual PC product is forced to emulate a particular network card (an old Intel 10mbit card, if memory serves) and then translate usage of that network card to calls to the NT device drivers for the real network card. Under Pacifica, the virtualized system talks directly to the real network card and the hypervisor software (which runs beneath the OS kernel) co-ordinates the different OS kernels in a similar sense to how the NT kernel co-ordinates multiple applications talking to the network card.

    Since the hypervisor software is essentially "an OS to run OSes on top of", if you can find a way get some software running in there you can do whatever you want with the "real" OS completely oblivious.