VM Rootkits: The Next Big Threat? |
Monday, 13 March 2006 by Michel Roth | |||
Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system. The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation. Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system, according to documentation seen by eWEEK. The prototype, which will be presented at the IEEE Symposium on Security and Privacy later in 2006, is the brainchild of Microsoft's Cybersecurity and Systems Management Research Group, the Redmond, Wash., unit responsible for the Strider GhostBuster anti-rootkit scanner and the Strider HoneyMonkey exploit detection patrol. A virtual machine is one instance of an operating system running between the hardware and the "guest" operating system. Because the VM sits on the lower layer of the operating system, it is able to control the upper layers in a stealthy way. The group said the SubVirt project implemented VM-based rootkits on two platforms—Linux/VMWare and Windows/VirtualPC—and was able to write malicious services without detection. Read the full article here.
Show/Hide comment form
|