Virtualizing rootkits and the future of system security

http://www.linuxpromagazine.com/Issues/2008/90/Virtualizing-Rootkits
Mon respect a mr jmonge q je salut....

 

Brought back a Lot of memories from the RK heyday Blue/Red Pill, SubVert etc. Ahh those were the days

Anyway as always, that stuff has to gain access in the 1st place to do it's dirty deeds so, If your names not down, you're Not coming in

 

As CR said, yeah, gotta get access to begin with.

And nothing is always going to be undetectable. I believe the issues with the Blue/Red pill was that (though it had never been tested) it was believed a timing attack could detect it.

 

It always comes back to the same story. If the initial code can't execute, it's not a problem. When the code can execute, all bets are off.

 

Right, but even more so if it executes with administrative rights. Run as a Standard user and the risks are mitigated substantially.

 

Not really. Yes, malware has a harder time with "run silent, run deep", but I can still spy on your purchasing and so forth. I can still phish you, hell, I can do that in Linux. I can still trick you into downloading a rogue app, and, I believe though am not certain, I can still put you out of work with ransomware. The key here is not whether you're running as Admin or, what I like to call "Limited Usability Account", but that you run something, anything that forbids execution of anything not already on your disk that is clean, or isn't on some whitelist.

Trying to do less damage is not the way to deal with security. Doing no damage is where it's at.

 

That's the difference between between our views. I don't trust containment as a primary defense, or Microsofts built in security to effectively enforce it. Trying to contain malicious code or its effects after it runs is little more than damage control. Damage control is only necessary when you can't prevent the problem. IMO, it's not a realistic front line defense. I can't count how many times we've gone around this same circle. "Malicious code breaks this, bypasses that, escapes from this, etc". Patch, repeat. Don't people ever get tired of this arms race?

 

Actually, I never stated it was a primary defense, only that running as a Standard user mitigates substantially the risks, which it undeniably does.

BTW, you might be underestimating the abilities of what's built-in to the O/S as a means to enforce security. The screen cap is a prime example of an attempt to launch an executable - with Applocker fully disbabled I might add - in a Standard Users account with certificate policies enforced in Group Policy settings. No anti-executable, nor denying an UAC alert is even required to prevent the logger from executing. Of course I don't recomend running with only these defenses in place, only that I'm trying to illustrate how effective some carefully placed system hardening can be. Obviously we want to prevent the malware from executing in the first place, and doing so primarily by utilizing what's already built-in, makes the malware's attempts to spring into action a very non-trivial matter.

 

I don't think anyone can deny the significant advantages of SUA.

 

Maybe not, but only 4-5 yrs ago I viewed it with contempt

 

I mean, I'd never use it lol but it's obviously going to cripple malware/ exploits.

 

Oh, I see, but it has a good chance of stopping it as well. You meant that I guess

 

Yes, it can outright break malware.

 

Right, I edited my previous comment

 

Rutkowska was "called out" over Blue Pill and basically bottled out.

http://www.zdnet.com/blog/security/rutkowska-faces-100-undetectable-malware-challenge/334

 

Makes sense. We have VM aware applications all of the time and those emulate a hell of a lot. As the article points out the VM/VirtualKit would have to emulate everything perfectly to be undetectable.

If it emulates everything it'll have bugs and will probably be huge.
If it emulates only parts it'll be possible to see that some parts aren't.