VM Rootkits: The Next Big Threat?
Monday, 13 March 2006 by Michel Roth
An interesting article on eWeek:

Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system. The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.

Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system, according to documentation seen by eWEEK. The prototype, which will be presented at the IEEE Symposium on Security and Privacy later in 2006, is the brainchild of Microsoft's Cybersecurity and Systems Management Research Group, the Redmond, Wash., unit responsible for the Strider GhostBuster anti-rootkit scanner and the Strider HoneyMonkey exploit detection patrol.

A virtual machine is one instance of an operating system running between the hardware and the "guest" operating system. Because the VM sits on the lower layer of the operating system, it is able to control the upper layers in a stealthy way.

The group said the SubVirt project implemented VM-based rootkits on two platforms—Linux/VMWare and Windows/VirtualPC—and was able to write malicious services without detection.

Read the full article here.

Related Items:

Virtual Rootkit Targets OS, Not Virtual Machines (17 March 2006)
Sysinternals Releases RootkitRevealer (24 February 2005)
Sysinternals RootkitRevealer Updated To Version 1.20 (10 March 2005)
Rootkits Operating From BIOS (27 January 2006)
How To Build An Effective Virtual Machine Template (30 March 2006)
VMware Server 2.0 Beta (13 November 2007)
Microsoft Virtual Server 2005 R2 For Free ! (3 April 2006)
Hardware Requirements For 64-Bit Guest Operating Systems (11 May 2006)
Transparent Paravirtualization And The Proposed Virtual Machine Interface (VMI) (10 May 2006)
Debunking Blue Pill myth (11 August 2006)
Comments (0)