VM Rootkits: The Next Big Threat?

ronjor · #1 March 11th, 2006, 09:21 PM

Quote:

Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system.

Story

SystemJunkie · #2 March 12th, 2006, 12:33 PM

Damn, and I thought I would be safe now, actually surfing with vmware..
but noticed a hook.dll in lots of processes.
But the hook in Vmware is nothing dangerous.

f3x · #3 August 1st, 2006, 04:40 PM

This is similar to the *blue pill* topic that have spawned a bit everywhere in there forum.

This thread is also the continuation of that other one:
http://www.wilderssecurity.com/showt...085#post809085

in wich Mrkvonic Posted:

Quote:

Hello,
The Next Big Scare I would call it.
It says to plant the rootkit you need to execute code ... wow, really. Execute code on a computer?
OK, let's say someone executes this code - and infects his virtual machine operating system (from within the virtual machine, I believe). All the user has to do is delete the machine and start over. Very ... simple. But if the rootkit affects the virtualization software, then it infects the actual host, and in that case, we're back to the good old basic getting yourself infected thingie. Nothing new or special. Just another possibility of getting creamed.
But running code on a computer ... that's new.
Mrk

SO the subject look confusing.
This is NOT an idea of rootkit that goes outside the virtual machine and infect the host.

This is the idea of a rootkit that infect the host then .... secretly without you being able to see it launch the host as a virtual machine.

Basicly the whole Host and security app live inside a virtual machine created by the rootkit. Application inside this machine cannot see the outside ... so they cannot see the rootkit.

Bubba · #4 August 1st, 2006, 04:45 PM

Quote:

Originally Posted by f3x

This thread is also the continuation of that other one:
http://www.wilderssecurity.com/showt...085#post809085

Actually....if you'll look at the post above yours you'd notice this thread was started almost 5 months ago and the duplicate thread you linked to was ~5 months later

Meriadoc · #5 August 1st, 2006, 07:05 PM

Hi,
sorry about that Bubba, this subject has been currant with me at the moment via a talk I gave on this subject, many fingers in pies as the expression goes, and remembered I had that link knocking about to that article which I felt was easy on the reading/understanding - as a start to a discussion. Didnt realise it was five months ago thou

time flies
I DO search here, but unfortunetly that one past me by! - sorry ronjor.

Bubba · #6 August 1st, 2006, 07:59 PM

Quote:

Originally Posted by Meriadoc

Hi,
sorry about that Bubba

No problem what so ever as it's still a good topic to discuss

nadirah · #7 August 4th, 2006, 01:22 PM

How can something from within a virtual machine program come out and attack the host operating system? Aren't they separate from each other, the guest and the host OS?

Meriadoc · #8 August 5th, 2006, 08:19 AM

Quote:

SubVirt/VMMonitor

Quote:

Damn, and I thought I would be safe now

I think many of us feel safe in a tightly configured state running VM but with something such as this...
what you thought was configured may not be and...

I've had Qs obviously, about whether any av is detecting this.

Has this been discussed? Not necessary av.

@nadirah (please forgive if this does not read correctly, my english, I hope you get the jist)
The idea is to take malicious code and subvirt it from your os. This is achieved through the creation of an additional 'layer,' a VMMonitor, between the os and your hardware. This is when control is lost, bypassed through the VMMonitor.
Then the new normality launches another os where the malicious code is executed!
This malicious progam is then in direct contact with the hardware and undetectable by the users os

Longboard · #9 August 11th, 2006, 08:55 AM

Not looking good:
http://www.bluetack.co.uk/forums/ind...howtopic=14935

Meriadoc · #10 August 11th, 2006, 03:17 PM

Quote:

Not looking good:

Backdoor.Rustock, you can read more about this at Symantec and F-Secure.
Theres alot of infections that can circumnavigate detectors, this one hides in alternative data streams which are further hidden via a rootkit.

It is now detectable, although its a constant battle with well know rootkit scanners such as F-Secures blacklight.
That is why when time permits I'm playing with the system virginity verifier (svv) source. The different versions produced with this source will be harder to beat.
Anyway there are a few exploits now which are very nasty

alch · #11 September 8th, 2006, 06:53 PM

I don't think the biggest threat is the attacks on already installed VM software, such as VMware. I think the biggest threat is rootkit software using similar technology to VMware that installs a rootkit between the hardware and os.

I think this is the idea behind the 'blue pill' software that there is soo much hype about.

Meriadoc · #12 September 9th, 2006, 03:21 AM

alch :

Quote:

I don't think the biggest threat is the attacks on already installed VM software, such as VMware.

Thats right...

Quote:

The idea is to take malicious code and subvirt it from your os. This is achieved through the creation of an additional 'layer,' a VMMonitor, between the os and your hardware

alch :

Quote:

I think this is the idea behind the 'blue pill' software that there is soo much hype about.

Yes JRutkowska ran with it and pushed it further http://theinvisiblethings.blogspot.c...blue-pill.html

Quote:

How does the Blue Pill-based malware relates to SubVirt rootkit, presented a few months ago by Microsoft Research and University of Michigan? Well, there are couple of important differences...

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search