Joanna Rutkowska Discusses VM Rootkits

Unwanted Software writes "There's an interesting interview on eWeek with Joanna Rutkowska, the stealth malware researcher who created 'Blue Pill' VM rootkit and planted an unsigned driver on Windows Vista, bypassing the new device driver signing policy. She roundly dismisses the quality of existing anti-virus/anti-rootkit products and makes the argument that the world is not ready for VM technology. From the article: 'Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.'"

Yes, but how do you get mature technology.

[mmell]

It starts as immature technology. Sure, you work with it in a lab for as long as you're able, but at some point you have to expose your work for all to see (and hammer away at).

In software, we used to have a saying, "No program is ever complete, but it has to go to market sooner or later."

Re:In a business enviroment

[shawnce]

I would say that few, very few are actually using the hardware virtualization.

That is not her point. It doesn't matter if software does or not exist exists that uses the capabilities of the hardware.. the issues is that operating systems are running on hardware that has virtualization capabilities built-in but the operating system aren't really tooled to properly secure this capability to prevent it being used to subvert the operating system.

Re:been around forever

[AKAImBatman]

I guess this 'expert' doesn't realize that virtualization in hardware has been with us since the 80386 first came around.

Virtual 8088 mode was not comparable. The 8088 virtual machine was entirely controlled by the 80386 software, and was not able to affect the 80386 in any dangerous fashion. The best one could have done was build an 80386 program to "rootkit" an 8088 Operating System. Considering that the OSes of the day (e.g. DOS) didn't have security to begin with, I'm not sure what you would have gained.

Modern virtualization allows for a machine on top of a machine. So I could, in theory, place a controlling bit of kit above your Operating System where it can't see it, can't modify it, and can't realize that it's being toyed with by a rootkit overlord.

Of course, the Blue Pill may work a bit different. I haven't studied it. But there is at least a potential for abuse here.

Virtualization has been around much longer

[njdj]

Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early

Virtualization was used in commercial machines as long ago as the early 1970s - IBM's VM/370 product was announced in 1972. The amount of hardware assistance for the virtualization depended on the 370 model. But this was the same kind of virtualization as recently introduced by Intel. You could run multiple different IBM operating systems under VM/370, and you could even run VM/370 under VM/370.

I'd hit it like the fist from an angry god!

[adolfojp]

You are missing the point guys! I don't know who she is or what she is selling but if she is a geek and looks like this
http://common.ziffdavisinternet.com/util_get_image /13/0,1425,sz=1&i=135407,00.jpg
http://static.flickr.com/66/206241643_d48861f49c.j pg
I am subscribing to her newsletter. ;-)

Re:I'd hit it like the fist from an angry god!

Yeah, I'd root her box, all right. Penetrate her firewall. Invade her deep logic. Assert administrative privileges and disable all virus protection. Reconfigure her RAID array with a dedicated controller. Put new batteries in her UPS. ... Wait, what were we talking about?

Kernel holes, not virtualization, are the problem.

[Animats]

Before an attack can install something like "Blue Pill", it has to be running in kernel mode. At that point, it already has full control of the machine. The only question is what to do with that control. Installing a hypervisor underneath the OS is kind of neat, but there are lots of other things to do.

What this does demonstrate is that after-the-fact malware detectors are a dead end.

There's a great comment in the article:

The solution (includes) checking all the possible "dynamic hooking places" in kernel data sections.

(This) is actually impossible to achieve 100 percent as nobody knows all those dynamic hooking places, but we could at least start building a list of them. I believe the number of the hooking places is a finite number for every given operating system.

In other words, there is only a finite number of "ways" to write Type II malware of any specific kind (e.g. a keystroke logger).

Now that's a big part of the problem - Microsoft's use of "dynamic hooking", or places where user code can insert callbacks which privileged code might access, is so messed up that security researchers can't even find all the places where it is allowed. "Dynamic hooking" is really a lame method of interprocess communication left over from the DOS version of Windows. It should never have made it into NT/W2000/XP/etc.

There's less of a temptation to do this in open source operating systems, since, if you really need to legitimately add a feature, you can put it in the source, rather than tapping into some binary. The Linux netfilter/ipchains mechanism offers a "dynamic hooking" attack vector into the kernel, though, so Linux isn't immune to attacks of this type.