Slashdot Mirror

← Back to Stories (view on slashdot.org)

Joanna Rutkowska Discusses VM Rootkits

Posted by ryuzaki0 on from the not-ready-for-it-cap'n dept.

Unwanted Software writes "There's an interesting interview on eWeek with Joanna Rutkowska, the stealth malware researcher who created 'Blue Pill' VM rootkit and planted an unsigned driver on Windows Vista, bypassing the new device driver signing policy. She roundly dismisses the quality of existing anti-virus/anti-rootkit products and makes the argument that the world is not ready for VM technology. From the article: 'Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.'"

4 of 105 comments (clear)

  1. Yes, but how do you get mature technology. by mmell · · Score: 4, Insightful
    It starts as immature technology. Sure, you work with it in a lab for as long as you're able, but at some point you have to expose your work for all to see (and hammer away at).

    In software, we used to have a saying, "No program is ever complete, but it has to go to market sooner or later."

  2. I'd hit it like the fist from an angry god! by adolfojp · · Score: 4, Insightful

    You are missing the point guys! I don't know who she is or what she is selling but if she is a geek and looks like this
    http://common.ziffdavisinternet.com/util_get_image /13/0,1425,sz=1&i=135407,00.jpg
    http://static.flickr.com/66/206241643_d48861f49c.j pg
    I am subscribing to her newsletter. ;-)

    1. Re:I'd hit it like the fist from an angry god! by Anonymous Coward · · Score: 4, Funny

      Yeah, I'd root her box, all right. Penetrate her firewall. Invade her deep logic. Assert administrative privileges and disable all virus protection. Reconfigure her RAID array with a dedicated controller. Put new batteries in her UPS. ... Wait, what were we talking about?

  3. Kernel holes, not virtualization, are the problem. by Animats · · Score: 4, Interesting

    Before an attack can install something like "Blue Pill", it has to be running in kernel mode. At that point, it already has full control of the machine. The only question is what to do with that control. Installing a hypervisor underneath the OS is kind of neat, but there are lots of other things to do.

    What this does demonstrate is that after-the-fact malware detectors are a dead end.

    There's a great comment in the article:

    The solution (includes) checking all the possible "dynamic hooking places" in kernel data sections.

    (This) is actually impossible to achieve 100 percent as nobody knows all those dynamic hooking places, but we could at least start building a list of them. I believe the number of the hooking places is a finite number for every given operating system.

    In other words, there is only a finite number of "ways" to write Type II malware of any specific kind (e.g. a keystroke logger).

    Now that's a big part of the problem - Microsoft's use of "dynamic hooking", or places where user code can insert callbacks which privileged code might access, is so messed up that security researchers can't even find all the places where it is allowed. "Dynamic hooking" is really a lame method of interprocess communication left over from the DOS version of Windows. It should never have made it into NT/W2000/XP/etc.

    There's less of a temptation to do this in open source operating systems, since, if you really need to legitimately add a feature, you can put it in the source, rather than tapping into some binary. The Linux netfilter/ipchains mechanism offers a "dynamic hooking" attack vector into the kernel, though, so Linux isn't immune to attacks of this type.