Slashdot Mirror

← Back to Stories (view on slashdot.org)

Undetectable Rootkits Through Virtualization?

Posted by ryuzaki0 on from the two-rooted-plants-die dept.

techmuse writes "eWeek has an article about a prototype rootkit that is implemented using a virtual machine hypervisor running on top of AMD's Pacifica virtualization implementation. The idea is that the target OS, or software running on it, would not be able to detect the rootkit, because the OS would be running virtualized on top of the rootkit. The prototype is supposed to be demonstrated at the Syscan conference and the Black Hat Briefings over the next month."

15 of 237 comments (clear)

  1. Before people start the Windows flamefest by Anonymous Coward · · Score: 4, Informative


    fta:
    Rutkowska stressed that the Blue Pill technology does not rely on any bug of the underlying operating system. "I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform," she added.

    1. Re:Before people start the Windows flamefest by timeOday · · Score: 5, Insightful
      Rutkowska stressed that the Blue Pill technology does not rely on any bug of the underlying operating system.
      It's doesn't rely on any bug of the guest operating system, and isn't detectable from the guest operating system. But if something is mitigating access between multiple guest operating systems to hardware, then that thing is itself some sort of minimal operating system, and it is there that the problem lies. As far as the guest operating systems are concerned, this is really more like what would previously have been a hardware hack, in fact it's almost like your healthy computer is running behind a compromised firewall that's sending out the spam or whatever.

      Getting to the point, people act as if virtualization simplifies things, But really it's an additional layer of abstraction and complication, another mass of code and/or hardware to go wrong. Now there will have to be software tools to manange this new underlying minimal OS, and maybe virus/rootkit software. I think the applicability will be limited.

  2. said this before by dknj · · Score: 4, Interesting

    Implementing malware with virtual machines

  3. the side effects are detactable by Anonymous Coward · · Score: 4, Funny

    Current virtualization doesn't virtualize anything but basic VGA graphics. That's certainly noticable.

    Boss asks: are you playing games at work?!

    Me: Just checking for rootkits boss!

  4. Motherboards already block this... by Manip · · Score: 4, Informative

    Some, albeit high end, motherboards support a visual warning message that alerts the user to a program, or the OS trying to modify the boot sector on the hard disk. If you had this enabled it would stop this rootkit dead in its tracks. It's just a shame that more bioses / motherboards don't offer this support by default.

    If you have this on your motherboard I highly recommend you turn it on, it isn't too often that you reinstall the OS and pressing F9 isn't that much of an inconvenience even if you did it once a day.

    PS - All of the "My favorite OS is secure" posts below this are wrong if the Operating System supports some type of driver, or root program (running in the kernels memory space).

    1. Re:Motherboards already block this... by SillyNickName4me · · Score: 4, Informative

      Hmm.. I have quite a pile of system boards here, dating from old 486 systems upto p4 and athlon xp, with ami, award, phoenix and biosses, and all of them have the boot sector virus protection option (tho sometimes just called virus protection).

      This offers at best a partial protection. While the MBR is important, the actual boot is done from the partition boot record, mot the master boot record, and this badly named feature is not going to help against that. Why badly named? because it does monitor (attempted) changes to the bootrecord and doesn't know anything about viruses.

      Next. even if you could protect against that, things just get a bit more OS and possibly OS version dependent because you have to move to the file that gets loaded by the partition bootrecord.

      Oh, quite a few 'boot managers' change the mbr on every boot.

      So while it offers some protection, that protection is extremely limited, and can be quite inconvenient.

  5. This just reinforces the good old principle by A+beautiful+mind · · Score: 5, Insightful

    If your system suffered a successful intrusion, you wipe.

    Of course, there were LKM rootkits (pretty hard to detect) for a good while now, this is just taking it to an all new level.

    I wish the spread of better hidden rootkits on Windows, because only that will further sane security policies and wipe the stupid idea of virus scanners out (when it's doing IDS not IPS). There ain't such thing as 'intrusion removal'. It's like putting on a condom after sex. Oh wait, it's slashdot. Let me rephrase. It is like trying to recover data from /dev/null.

    --
    It takes a man to suffer ignorance and smile
    Be yourself no matter what they say
  6. Not much less detectable by mrcaseyj · · Score: 4, Insightful

    I don't think this changes the situation much. Viruses have always tried to hide. This just requires different methods to detect them. Ultimately some viruses can only be reliably detected by booting off of readonly media. The same now as before. I think OS providers should provide a boot disk for routine scanning as a matter of standard procedure.

  7. Maybe it's time for some new paradigm by supradave · · Score: 4, Insightful

    Perhaps there could be an OS that wouldn't allow malware to be injected through root-trust, signed applications, memory compartmentalization with read, write, execute permissions and 4 privilege levels (instead of 2). Of course, that wouldn't be Windows or Linux or BSD or any other generic OS.

  8. Let's make this a bit easier to understand. by khasim · · Score: 5, Interesting
    I'm sure someone will correct me if I'm wrong but ...

    This is not really different from running WinXP, then installing VMWare Workstation, then installing Win2K in a virtual machine.

    The "host" OS is what gets infected. That would be WinXP. Of course nothing running in the "guest OS (Win2K) would be able to detect it. But ... so what? And that would directly contradict their claim:
    Rutkowska stressed that the Blue Pill technology does not rely on any bug of the underlying operating system.
    There are only three (3) ways for the "underlying operating system" to be infected.

    #1. Worm
    #2. Virus
    #3. Trojan

    If we aren't talking "nude pictures of celebrities", then it's either a worm or a virus and both of those are bugs in the OS.

    If it's a trojan, then WTF are you doing installing unknown apps on the host OS?

    Now, the only way this would be interesting would be if the worm / virus / trojan installed the virtualization software, moved the existing OS to a virtual machine and faked the names of all the interfaces (NIC, IDE controller, etc). If you can do that, VMWare really wants to talk to you.
  9. Virtualisation used for rootkit-safe environments by grumbel · · Score: 5, Interesting

    Can't the same trick be used to make a rootkit-safe environment? Launch a watchdog application and let that watchdog application launch the real OS in a virtualized environment, as soon as a rootkit wants to fiddle the watchdog application takes notice and there would be no way for the rootkit to either detect or by pass the watchdog. Or even more drastic, launch each (or most) process in a virtualized environment, would probally be a little slow, but should provide a extremly secure OS.

  10. Whoa. Déjà vu. by DysenteryInTheRanks · · Score: 4, Funny

    "A Slashdot article just went by, and then another one that looks just like it!"

    "It's a glitch in the rootkit! It happens when it changes something!"

    "No, I said a SLASHDOT article."

    "Ah, you're probably fine then."

  11. Nothing new, really. by Anonymous Coward · · Score: 5, Insightful

    The fundamental question of systems administration: once you have had a root compromise, what can you do to the machine to get it back up and running, in a known good configuration, with all chances of future compromise as a result of the initial compromise removed?

    Answer: either compare the system (booted from known good media) to a known good set of files, or reinstall from known good media.

    There's no other answer. Any tools you run on the compromised system are by definition suspect; they might be good, or they might be compromised. You have no way of knowing; anything they tell you is suspect. Even if you have tool binaries that you know are good, you don't know that the data they're gathering reflects reality or has been altered to give you a wrong impression.

    So the fact that this software is undetectable doesn't really change anything; you're still finding out about the compromise through unusual activity, so that's 'status quo'. The only thing that's different is the layer that's compromised.

    The interesting question is how the software gets in place in the first instance to compromise the system. The answer is that it was run as root (or administrator, or supervisor, or whatever the super-user is called). How did it get root privileges? Two possible answers: (1) a flaw in the OS (defined as the kernel, and any processes running with root privileges); or (2) the end user ran it somehow as root.

    In the first case, it's the standard security problem. The OS is flawed; anything can get root. That's a bug. In the second case, it's end user stupidity. Nothing you run as an end user should require root privileges. (If the OS is designed in such a way that you do, again, that's a flaw in the OS. If the application expects it when it doesn't really need it, that's a bug in the application, and the vendor should be shot.)

    So there's another layer the rootkit can hide in. Be still, my beating heart! This is, and remains, nothing fundamentally new.

  12. Re:The only defense by jthill · · Score: 4, Funny

    You just think you're booting off that DVD.

    --
    As always, all IMO. Insert "I think" everywhere grammatically possible.
  13. Think about what it means if they're right. by khasim · · Score: 4, Insightful

    I don't think they're right. Look at page 3 where they have their diagram showing the VMM in direct contact with the hardware.

    Here's a simple test to see if they're right.

    Put in a NIC that your host OS does not have drivers for. Your host OS will not be able to connect to the network. Now, if the virtual machine in their example can access the network, then they're correct.

    There's no end of hype for "threats" that never seem to materialize (or are vastly over-stated). If they can do what their diagrams indicate, then this would revolutionize the computer industry. I really mean that.

    For example, you would NEVER again have any problem with wireless networking under Linux. Or sound. Or any peripheral. Or hardware accelerated video. No more nVidia drivers needed! The VMM handles it for you!

    So, no, I don't believe that what they claim is actually what they can deliver.