Rootkit Threats

By Ryan Naraine  |  Posted 2006-10-26 Print this article Print

What is the value of creating an offensive rootkit? Doesnt make it easier for the bad guys?

Its important to show that current anti-virus and specifically anti-rootkit solutions on the market are far from effective in preventing or detecting system compromises. In other words—to stimulate people to create better defensive solutions.

I dont believe that talking about new offensive technology should be considered as helping the bad guys. After all, it would be very strange if the particular attack was discovered by only one person/group on the planet. I certainly do not consider myself to be that exceptional.

What is your policy on disclosure? Do you publish details on flaws or release exploit code? Why/why not?

As Im currently a full-time employee of COSEINC; I follow my companys policy on disclosure. In general, COSEINC is primarily interested in doing research which could be then used in protecting our customers. Of course, we also try to have some impact on improving security in general, so we try to share some of our research with the rest of the community by giving presentations at various security conferences.

As a rule, we do not publish exploit nor malware code, unless, of course, we decided that its absolutely necessary to do so to force a vendor to fix a particular problem. For example, we believe that there is no advantage in having the Blue Pill source code available to the public, as this, in no way, could be useful in creating an anti-Blue Pill solution (in contrast to what some people may think).

Youve taken a keen interest recently in virtual machine-based rootkits. Is this a legitimate attack vector? Why?

Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. Its my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.

To demonstrate how this virtualization technology could be abused today, I created Blue Pill—a little program which creates a hardware virtual machine and then moves the running native operating system (the system in which Blue Pill was started) into that virtual machine, while itself becoming a so-called hypervisor. This all happens on the fly (the whole operation takes much less then a millisecond) and the native operating system doesnt even realize that it has just been moved into a virtual machine.

Blue Pill and other malware of this kind could be prevented if the underlying operating system was aware of the virtualization technology and implemented its own hypervisor. Needles to say, implementing such a hypervisor is not a trivial task and, although its expected that future systems will be doing that, I think we are two to three years away from seeing that.

I saw a rootkit expert (Greg Hoglund) say that a VM rootkit is nothing more than a lab toy and not a realistic threat. Is he wrong?

I thought Greg was referring to software virtualization-based rootkits, like SubVirt, which was created by people from Microsoft Research and the University of Michigan. This is different from hardware virtualization-based rootkits like Blue Pill or Vitriol, which was created by Dino Dai Zovi from Matasano Security.

Frankly, I see no reason why Blue Pill-based malware couldnt be used in the wild to conduct real life attacks. Of course I dont expect this kind of malware to be used in worms, but rather in sophisticated targeted attacks. Furthermore, I think that we will have very serious problems with detecting it (provided its implemented using strong covert channels). Im betting that lots of security "experts" will come to the conclusion that such malware "does not exist in the wild" when in fact theyll be very much in use covertly.

Next Page: Vista.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel