VMWare Rootkits, The Next Big Threat?

The New Acunetix V12 Engine


Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system.

The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.

Subvirt certainly sounds like an interesting project.

I have heard about such a thing before in the blackhat community, but for Linux only, I didn’t know anyone had actually worked on a Windows variant.

Quite an amazing piece of technology, the thing is, it might already be out there..Blackhats tend to do it first, and do it dirty, but not talk about it to the media ;)

Using current methods, these root kits CANNOT be detected by the host machine.

Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system, according to documentation seen by eWEEK.

The prototype, which will be presented at the IEEE Symposium on Security and Privacy later in 2006, is the brainchild of Microsoft’s Cybersecurity and Systems Management Research Group, the Redmond, Wash., unit responsible for the Strider GhostBuster anti-rootkit scanner and the Strider HoneyMonkey exploit detection patrol.

The problem being the malware is a lower layer than the malware detection utilities available, so it runs under the level that it can be detected. The SubVirt project has implemented VM-based rootkits on two platforms “Linux/VMWare and Windows/VirtualPC” and was able to write malicious services without detection.

It is a very stealthy attack, and perhaps it could be used to also fight against malicious code and malware.

“We believe the VM-based rootkits are a viable and likely threat,” the research team said. “Virtual-machine monitors are available from both the open-source community and commercial vendors … On today’s x86 systems, [VM-based rootkits] are capable of running a target OS with few visual differences or performance effects that would alert the user to the presence of a rootkit.”

Hardware detection is one thing that could overcome this kind of subversion by virtual machines. Intel and AMD have discussed hardware based malware scanning (AMD Execution Protection to prevent buffer overflows).

Source: eWeek

Posted in: Malware

, ,


Latest Posts:


CHIPSEC - Platform Security Assessment Framework CHIPSEC – Platform Security Assessment Framework For Firmware Hacking
CHIPSEC is a platform security assessment framework for PCs including hardware, system firmware (BIOS/UEFI), and platform components for firmware hacking.
How To Recover When Your Website Got Hacked How To Recover When Your Website Got Hacked
The array of easily available Hacking Tools out there now is astounding, combined with self-propagating malware, people often come to me when their website got hacked and they don't know what to do, or even where to start.
HTTrack - Website Downloader Copier & Site Ripper Download HTTrack – Website Downloader Copier & Site Ripper Download
HTTrack is a free and easy-to-use offline browser utility which acts as a website downloader and a site ripper for copying websites and downloading them for offline viewing.
sshLooter - Script To Steal SSH Passwords sshLooter – Script To Steal SSH Passwords
sshLooter is a Python script using a PAM module to steal SSH passwords by logging the password and notifying the admin of the script via Telegram when a user logs in.
Intercepter-NG - Android App For Hacking Intercepter-NG – Android App For Hacking
Intercepter-NG is a multi functional network toolkit including an Android app for hacking, the main purpose is to recover interesting data from the network stream and perform different kinds of MiTM attacks.
dcipher - Online Hash Cracking Using Rainbow & Lookup Tables dcipher – Online Hash Cracking Using Rainbow & Lookup Tables
dcipher is a JavaScript-based online hash cracking tool to decipher hashes using online rainbow & lookup table attack services.


3 Responses to VMWare Rootkits, The Next Big Threat?

  1. Alessandro Perilli March 13, 2006 at 11:47 am #

    The research misses some critical implementation problems preventing this rootkit from being developed anytime soon.

    I have an insight of this on my blog: http://www.securityzero.com/2006/03/rootkits-powered-by-virtualization.html

  2. Duo March 18, 2006 at 2:57 am #

    Verdasys (Ver-day-sis)
    http://www.verdasys.com/

    They’re developing a mutli-layer* rootkit. The administrator would install it just as he would with any piece of software and once the administrator gives the agent a server IP Address it completely hides its self. Removes all executables, install directories, processes and their IDs. It’s really quiet amazing. It also sends information back to the server on a timer (admin configured) and the information is displayed in either HTML, TXT or the programs own interpeter to display what applications have been running, what ports, etc. In the version I watched in use had features such as VNC. When we were reviewing the AIM statistics it also logged who had been talked to, their conversations, etc. I was impressed.

    *Multi-layer refers to the low/high level of the kernel and other functions of the processor. The different rings, if that makes sense.

  3. Alfred January 19, 2008 at 11:26 am #

    I think they talked about this on sploitcast.com.