Virtualizing rootkits and the future of system security

Discussion in 'malware problems & news' started by manar58, Nov 11, 2011.

Thread Status:
Not open for further replies.
  1. manar58

    manar58 Registered Member

    Joined:
    Sep 22, 2011
    Posts:
    75
    http://www.linuxpromagazine.com/Issues/2008/90/Virtualizing-Rootkits
    Mon respect a mr jmonge q je salut....:D :D :D
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Brought back a Lot of memories from the RK heyday ;) Blue/Red Pill, SubVert etc. Ahh those were the days :)

    Anyway as always, that stuff has to gain access in the 1st place to do it's dirty deeds so, If your names not down, you're Not coming in :D
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    As CR said, yeah, gotta get access to begin with.

    And nothing is always going to be undetectable. I believe the issues with the Blue/Red pill was that (though it had never been tested) it was believed a timing attack could detect it.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It always comes back to the same story. If the initial code can't execute, it's not a problem. When the code can execute, all bets are off.
     
  5. wat0114

    wat0114 Guest

    Right, but even more so if it executes with administrative rights. Run as a Standard user and the risks are mitigated substantially.
     
  6. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    Not really. Yes, malware has a harder time with "run silent, run deep", but I can still spy on your purchasing and so forth. I can still phish you, hell, I can do that in Linux. I can still trick you into downloading a rogue app, and, I believe though am not certain, I can still put you out of work with ransomware. The key here is not whether you're running as Admin or, what I like to call "Limited Usability Account", but that you run something, anything that forbids execution of anything not already on your disk that is clean, or isn't on some whitelist.

    Trying to do less damage is not the way to deal with security. Doing no damage is where it's at.
     
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That's the difference between between our views. I don't trust containment as a primary defense, or Microsofts built in security to effectively enforce it. Trying to contain malicious code or its effects after it runs is little more than damage control. Damage control is only necessary when you can't prevent the problem. IMO, it's not a realistic front line defense. I can't count how many times we've gone around this same circle. "Malicious code breaks this, bypasses that, escapes from this, etc". Patch, repeat. Don't people ever get tired of this arms race?
     
    Last edited: Nov 12, 2011
  8. wat0114

    wat0114 Guest

    Actually, I never stated it was a primary defense, only that running as a Standard user mitigates substantially the risks, which it undeniably does.

    BTW, you might be underestimating the abilities of what's built-in to the O/S as a means to enforce security. The screen cap is a prime example of an attempt to launch an executable - with Applocker fully disbabled I might add - in a Standard Users account with certificate policies enforced in Group Policy settings. No anti-executable, nor denying an UAC alert is even required to prevent the logger from executing. Of course I don't recomend running with only these defenses in place, only that I'm trying to illustrate how effective some carefully placed system hardening can be. Obviously we want to prevent the malware from executing in the first place, and doing so primarily by utilizing what's already built-in, makes the malware's attempts to spring into action a very non-trivial matter.
     

    Attached Files:

  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I don't think anyone can deny the significant advantages of SUA.
     
  10. wat0114

    wat0114 Guest

    Maybe not, but only 4-5 yrs ago I viewed it with contempt :)
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I mean, I'd never use it lol but it's obviously going to cripple malware/ exploits.
     
  12. wat0114

    wat0114 Guest

    Oh, I see, but it has a good chance of stopping it as well. You meant that I guess :oops:
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yes, it can outright break malware.
     
  14. wat0114

    wat0114 Guest

    Right, I edited my previous comment ;)
     
  15. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Makes sense. We have VM aware applications all of the time and those emulate a hell of a lot. As the article points out the VM/VirtualKit would have to emulate everything perfectly to be undetectable.

    If it emulates everything it'll have bugs and will probably be huge.
    If it emulates only parts it'll be possible to see that some parts aren't.
     
Loading...
Thread Status:
Not open for further replies.