VM Rootkits: The Next Big Threat?

Damn, and I thought I would be safe now, actually surfing with vmware..
but noticed a hook.dll in lots of processes.
But the hook in Vmware is nothing dangerous.

 

This is similar to the *blue pill* topic that have spawned a bit everywhere in there forum.

This thread is also the continuation of that other one:
https://www.wilderssecurity.com/showthread.php?p=809085#post809085

in wich Mrkvonic Posted:

SO the subject look confusing.
This is NOT an idea of rootkit that goes outside the virtual machine and infect the host.

This is the idea of a rootkit that infect the host then .... secretly without you being able to see it launch the host as a virtual machine.

Basicly the whole Host and security app live inside a virtual machine created by the rootkit. Application inside this machine cannot see the outside ... so they cannot see the rootkit.

 

Actually....if you'll look at the post above yours you'd notice this thread was started almost 5 months ago and the duplicate thread you linked to was ~5 months later

 

Hi,
sorry about that Bubba, this subject has been currant with me at the moment via a talk I gave on this subject, many fingers in pies as the expression goes, and remembered I had that link knocking about to that article which I felt was easy on the reading/understanding - as a start to a discussion. Didnt realise it was five months ago thou time flies
I DO search here, but unfortunetly that one past me by! - sorry ronjor.

 

No problem what so ever as it's still a good topic to discuss

 

How can something from within a virtual machine program come out and attack the host operating system? Aren't they separate from each other, the guest and the host OS?

 

I think many of us feel safe in a tightly configured state running VM but with something such as this...
what you thought was configured may not be and...


I've had Qs obviously, about whether any av is detecting this.
Has this been discussed? Not necessary av.

@nadirah (please forgive if this does not read correctly, my english, I hope you get the jist)
The idea is to take malicious code and subvirt it from your os. This is achieved through the creation of an additional 'layer,' a VMMonitor, between the os and your hardware. This is when control is lost, bypassed through the VMMonitor.
Then the new normality launches another os where the malicious code is executed!
This malicious progam is then in direct contact with the hardware and undetectable by the users os

 

Not looking good:
http://www.bluetack.co.uk/forums/index.php?showtopic=14935

 

Backdoor.Rustock, you can read more about this at Symantec and F-Secure.
Theres alot of infections that can circumnavigate detectors, this one hides in alternative data streams which are further hidden via a rootkit.
It is now detectable, although its a constant battle with well know rootkit scanners such as F-Secures blacklight.
That is why when time permits I'm playing with the system virginity verifier (svv) source. The different versions produced with this source will be harder to beat.
Anyway there are a few exploits now which are very nasty

 

I don't think the biggest threat is the attacks on already installed VM software, such as VMware. I think the biggest threat is rootkit software using similar technology to VMware that installs a rootkit between the hardware and os.

I think this is the idea behind the 'blue pill' software that there is soo much hype about.

 

alch :

Thats right...

alch :

Yes JRutkowska ran with it and pushed it further http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html