VM Rootkits: The Next Big Threat?

Discussion in 'malware problems & news' started by ronjor, Mar 11, 2006.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,766
    Location:
    Texas
    Story
     
  2. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Damn, and I thought I would be safe now, actually surfing with vmware..
    but noticed a hook.dll in lots of processes.
    But the hook in Vmware is nothing dangerous.
     
    Last edited: Mar 14, 2006
  3. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    This is similar to the *blue pill* topic that have spawned a bit everywhere in there forum.

    This thread is also the continuation of that other one:
    https://www.wilderssecurity.com/showthread.php?p=809085#post809085

    in wich Mrkvonic Posted:

    SO the subject look confusing.
    This is NOT an idea of rootkit that goes outside the virtual machine and infect the host.

    This is the idea of a rootkit that infect the host then .... secretly without you being able to see it launch the host as a virtual machine.

    Basicly the whole Host and security app live inside a virtual machine created by the rootkit. Application inside this machine cannot see the outside ... so they cannot see the rootkit.
     
  4. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
  5. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Hi,
    sorry about that Bubba, this subject has been currant with me at the moment via a talk I gave on this subject, many fingers in pies as the expression goes, and remembered I had that link knocking about to that article which I felt was easy on the reading/understanding - as a start to a discussion. Didnt realise it was five months ago thou :eek: time flies
    I DO search here, but unfortunetly that one past me by! - sorry ronjor.
     
  6. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    No problem what so ever as it's still a good topic to discuss ;)
     
  7. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    How can something from within a virtual machine program come out and attack the host operating system? Aren't they separate from each other, the guest and the host OS?
     
  8. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I think many of us feel safe in a tightly configured state running VM but with something such as this...
    what you thought was configured may not be and...
    :eek:

    I've had Qs obviously, about whether any av is detecting this.:)
    Has this been discussed? Not necessary av.

    @nadirah (please forgive if this does not read correctly, my english, I hope you get the jist)
    The idea is to take malicious code and subvirt it from your os. This is achieved through the creation of an additional 'layer,' a VMMonitor, between the os and your hardware. This is when control is lost, bypassed through the VMMonitor.
    Then the new normality launches another os where the malicious code is executed!
    This malicious progam is then in direct contact with the hardware and undetectable by the users os :)
     
  9. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,187
    Location:
    Sydney, Australia
  10. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Backdoor.Rustock, you can read more about this at Symantec and F-Secure.
    Theres alot of infections that can circumnavigate detectors, this one hides in alternative data streams which are further hidden via a rootkit.:)
    It is now detectable, although its a constant battle with well know rootkit scanners such as F-Secures blacklight.
    That is why when time permits I'm playing with the system virginity verifier (svv) source. The different versions produced with this source will be harder to beat.
    Anyway there are a few exploits now which are very nasty
     
    Last edited: Aug 11, 2006
  11. alch

    alch Registered Member

    Joined:
    Sep 8, 2006
    Posts:
    2
    I don't think the biggest threat is the attacks on already installed VM software, such as VMware. I think the biggest threat is rootkit software using similar technology to VMware that installs a rootkit between the hardware and os.

    I think this is the idea behind the 'blue pill' software that there is soo much hype about.
     
  12. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    alch :
    Thats right...
    alch :
    Yes JRutkowska ran with it and pushed it further http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html
     
Loading...
Thread Status:
Not open for further replies.