|
|
|
VM Rootkits: The Next Big Threat?
By: Ryan Naraine
2006-03-10
Article Rating: / 1
There are 0 user comments on this Network Security & Hardware story.
VM Rootkits: The Next Big Threat? (
Page 1 of 2 ) SubVirt, a proof-of-concept virtual machine rootkit created by MS Research and the University of Michigan, pushes the envelope for hiding malware. Will this new threat strike from below?Lab rats at Microsoft Research and the University of Michigan have
teamed up to create prototypes for virtual machine-based rootkits that
significantly push the envelope for hiding malware and that can maintain
control of a target operating system.
The proof-of-concept rootkit, called SubVirt, exploits known security flaws
and drops a VMM (virtual machine monitor) underneath a Windows or Linux
installation.
Once the target operating system is hoisted into a virtual machine,
the rootkit becomes impossible to detect because its state cannot be
accessed by security software running in the target system, according to
documentation seen by eWEEK.
The prototype, which will be presented at the IEEE Symposium on
Security and Privacy later in 2006, is the brainchild of Microsofts
Cybersecurity and Systems Management Research Group, the Redmond, Wash., unit responsible for the Strider GhostBuster anti-rootkit scanner and the Strider HoneyMonkey exploit detection patrol.
Today, anti-rootkit clean-up tools compare registry and file system API discrepancies to check for the presence of user-mode or kernel-mode rootkits, but this tactic is useless if the rootkit stores malware in a place that cannot be scanned.
"We used our proof-of concept [rootkits] to subvert Windows XP and Linux target systems and implemented four example malicious services," the researchers wrote in a technical paper describing the attack scenario.
"[We] assume the perspective of the attacker, who is trying to run malicious software and avoid detection. By assuming this perspective, we hope to help defenders understand and defend against the threat posed by a new class of rootkits," said the paper, which is co-written by researchers from the University of Michigan.
 Stealth rootkits are bombarding Windows XP SP2 systems. Click here to read more.
A virtual machine is one instance of an operating system running between the hardware and the "guest" operating system. Because the VM sits on the lower layer of the operating system, it is able to control the upper layers in a stealthy way.
"[T]he side that controls the lower layer in the system has a fundamental advantage in the arms race between attackers and defenders," the researchers said.
"If the defenders security service occupies a lower layer than the malware, then that security service should be able to detect, contain and remove the malware. Conversely, if the malware occupies a lower layer than the security service, then the malware should be able to evade the security service and manipulate its execution."
The group said the SubVirt project implemented VM-based rootkits on two platforms—Linux/VMWare and Windows/VirtualPC—and was able to write malicious services without detection.
Next Page: Its easy to infect a target system.
|
|
�������xv6(;^+(g٦xvKY%5,nO;giQ$$1H
I٭̙:/q�.KOwb["�PU(�
�;8x$+W7-gL:9)9G�,��I��|ݻ@�Be�ZNULrJ�Զn�L7n[c3�P/W�a��W?�᳙(,��@6SM-�*R<>u~�U���cm9�Ne,oӟZ_{WJY4E9ۗ79��~�`h=v$�c�N^uc<>+�i^_�wD_*�0QI-�i|/�Z@���/ֳP��:5=(G~㖯[�MNR=5,g��f�V҈�g�UUYڭ~S~6ۛvE˳v��,a�R422V,]鮙Fȏ�Ay|qnvz{KV�Y;��i
O�ɗV?�܌vO|�?Om@=�����.iT%532�yML�u}Nr,�eo\;W�;Beu#�7gbeQ
�5f`X@7�? eR2\
L9�X@/@ש#4���K'Q�liBu��V�!`J� 0sn=r@k��FPY��D`6�R\� 9lb���v!fBy�M)�I�K
_{@@�ZR~V(�nS%EI7#DD�<�v�x�W��"ʥ��c�p1SUҽT7wsY�iغ�\08�އ]7+De.
s5-wizˢ�aZTp�x3_��&t{]iz-+>cq4Y`I�-. ¹:zSt*t�~Z�o�E�oa���G'&-d`q86ayƔIG�?<�|0��ZC>OtvϧԴPwP�?�:�M��/�}D˥~i�1�@�
L�na�
�V8;
�uCuӹga �{>�0���kJY-��j$�ni��-DCwM0Ie!S @��Σd`�oM~�ٚѡ4}a���q�jS?g !Tg ,z�u=
}
�wA���l[>l0��s�yF�@i0x�z�dQJ
d��� 4.gP)AH �=��� \��99[�
��8#!bTLZ�'9Tu{B#��T\*�τb��Z
z)0ٜ��ʬ$5M�
X�*ȉ#�m"0�%X����
,gZ
X��5�Z)m�
*�LB{ؕqIQ���ңF +:�)l[�L9<�p��`�]?b�n;N %=&*���,Â�Ic̦MS�=LG"z
[�q3�7O�j�7ab<"#~Ľpe��ٜi8xs�>`|�==0Xհݹ2|dң%}?�p*JNC_jVzq}a�MAV?�s��p�7+ s&���rG|媞5��jx0?3\�LdFfko�m���7*+)뼓ܳP>Ҕ
S5��
L��@).E��wJl㜜;F]s;tO�kG'O齵Zl��m�H_ƠT:�?oWu�RH�H�oh��koռ²yc<6�B6`9HM^>��2f��ˣ(�U6LF%?Io2�@�=�ȢmD�K*+'G,m+Z�rijXL{6`�aP�eQ@7MVRQy3�^:z�ȃ`��#r7�6O7]?��69�{y4!%6$;~L&'V
KN
Mښ(1@�/��ŵa�a�{�61rt\Xb:tgyaٿZYT.ZkʮtݐWүhMVp��v�*> ��1f&6X#˦>oًMIAʫ%M�fl v6,ƴ_$i?怚H|A��2e�&Gmܑkc6euE����Ʊ4f3t%ұy�4��
hD�kHb4"T2paLH�a0S]�e�lQؼuwPySms�{�䖻��!`Pcf�:uV*L;$!WTwwAQ xL1�kM8v�هE1Ǿ{E{=
��F:�7�a/�)cpIl�_��ta@C^C���)& SZ`\FL�k��
ZCbP$ܔwц.�{|X�]OXL�+*�9G�pϟ��
sFWyUFY?O=yT+BZm'VVR崨V*�Jwq�)4�� bs`~6|Oe�OQz?�ܮ{Kn�s3/�x/ &1h'0(o@|�V_ﭡ>]Ik0�1Sle`Sxt(�b=*��䪢#Ïn
O��GA.CGa&:�`B���T�nl
0ԴgKZ-�,?A�A�ޯј�n"0�\veOTUWL*H@8�:{>-n��W`
>6Z0bƏQ�ajX[�T�}f�z/J>ELt0Ȑ�N{ĝ�Wlȡ5Th7��8Uo��F*l�ϛ=G$1�*@7Z �ɦ`V �
"|>�75;V`]f-�>s�7poj-śz_EnMsU-ny�F��E��=JTȝ𑿚@ "Bι�7xlx�P@*�ৣjZ)KƗɘBÜb��>�AM:�lns0USfyr;WKU056u
2
܄�z�t~>@d�3_�?L=�[L4F�zɖ0M0g'� ��ٸn�:AjAy̧`\�fc5}pNyT!�"�kq�(n}�#;"#�A_ �d��sq7pTJJ\�
$Jq� �{2u9pg埍v8?UU�GMy�U̐,*A�j]K>a51r�l\X4�N>��2Q&OB�8Jj-[r_̜A~�V0u^AS#ȫͦ'0[(j'�fcO7)~�}$DC9[m�z~�K��e�Tͻ�#UX)TԒP/YTAtuYbke`WPF4`�W�&�\x&\_{sƋ�(b)Q^q�D�CRx*+nQ/ew���S? &i�=�P3�&t]57��1Tmn/`2NEM+v@l+J9wWGc&���Q@gtD�ɢ\�'
WeR8p,g$��X9�H(PK Y�x[!6E����=a?qq-<92���=�QZ��aǰ�ZPf/n�GF�Dccb^s�zY*oO��P�[�/I6]C�0:;bdG]ItvyB
�ۇ^F}�0q�qnowO��3)l_��{4|%<�4W}lㄔN J~ypݔڝ�?���eF&Gf�B�,
8oOI�Ÿ}/gvi4-ð
].a�址�
Uκ~#t�Kݫ-?wJ-)�^{#= rJpAj\_'d�0|
s~j܆�6b�7�`
xѤ8"cxH13^��6�"B�@�to[,�S�VXKr!�}&�=C٠l��hL؆Կ�T�WX*��5�̄o��
I+U:=<�
�� c@JA=�oh{7WOi�{mE�����bT1 _RJ�MQ6�=#�ijf{L× g(��^(0[LӷoHW蘧Y�GD_q/
s��z4~��\3Z9nl$ݫ#B2�Nlp
j_{`USr�F4/�E/p�]�"Tc�8L,ӤN)fTD�Sco�y0;Fx�8쀒N1�{LEOأ
F]�nց'S9])ŔN yr< 'AGJ脊aye5))eL5NR�MLC]�OC/��$�;��B:Tzw �go��Ú�}gy�j;n�+�ã�,P-�WY+LB$/i\A1獫p"�,GwDl���jr8J,sL�3u�Zt
ەgaBxa1~hSr�?n4[ҸԿ�5LZ0�c,H~ ZЃ�>�5?�y{jo&�=)sǣA��#g伅)ћN:|[)=h�9K��8��{qOKn<�]1g�lLcI"ɫ�w7}�YpJuOVr�ѩc+N� c,n�V��(fޮ�ye11>g�nS;-�zsSxc�k~=vȤ�2]aG�^R��.oCVZ�tC.q�@�9&^--^\RK>^+���Uk@< b[_��I{tH��z>X6��N
ئ73ӧGcef7F?��4�c2j$ JR��6C���OrF1�݄ ����!�nŁ��BN�.�'oa�J]ۨ@��2��$<�,2k%�=0n*��v9�:){b:x9y'Cq�$ܫeђ�X�Z9�L1tˢ�A8ANb�Tuㇹ�"!� :K2cJ�}j�Մ�e�x(t�9�NS6|p4uYDx?�s)Ԏ;ۊ?-gպ.*bb 4l_;nX=b%ޜ,xDdIJ]y�'-��t�H9喔S�f9PZPKqdYڐY�!9� HOuBV�13s1'1�|LGL&��nF&�
P�s(:̎�&ϜqPZpi(VhRbp~t_tϨ�Gbj&}[@Y͈�OĞ OxZ�ySӊjYKn$vlR@�R|V=TTLk.UO�S!l�핍*r-�DV
�5�{̞S�cu�7�sv�ǗTE>8&^N�H�sZ�S1.�c{��"TP�I����&$\".%LDi�BZ4%SXꄄy*�Oz�8�Ӳ�kշ3w�=m{f�M:�#zRob|�֭�V @_3~sX2a VDm7s�+3
���/��W~(<��\g>�m[c�4^�J=}KuB4��ɠ.��ѷ/g��;~�'�y �I�~3C��O"Bb=(ܗ;Y|Um2Ky�Jb� T$aůWICrZS=|J/>~L:�Av�qQ�_PoD+7`QP8k;sG5]�0 $�1c�";_}Mn8ksg��01u2t1,qv�43'�zB�#` % lW"�K8دC�)Ԩ?&UĊ,uk<[[)N4!�oooo?qYP�X_r�;[H=(bi} m2n)�| "�+-6о�1nŮ�GżrۗObE0�asH=h;rL
jQ;0m)t:�TLɃ�} K�)Rr��R��ƗҝK6.aP�&��* Xk]&GS|%� +}2�fǛPtK.ɉ
q
OgH϶4<_�_*Oc'�>[=�|�a9vxA
&BD��Șؽ)"]�X��q.�(91d`z-u~ga=麞/˛tP0,k-�0��QP�/�����#�W^x!ݞOAȘf��Xn�T
!zj"|Bm`:V�Qo簚�k~��![�g8Ε6dn[�ۭ;�)PIST"K7c7kI\�u�a/��3qm˟Hbe�8!�-]e�-�&'LzIEz 2_�&gwIo$ݑǥR#1
jK���'p<ٞm�S-V$\rXw<`Kr�t#k|;z|id|�:�^%u~p?P),܍
5�_XSª�V�ȆxnG/��� 4bzѼ{�]tc��� !Ĩ1�D�_�{w}K{�cPI-I���9mX�3J`<$��=^e<�D8$<]u�d_x}ڈ40vbI�&Őz{�gzXE5�AX?p؟aFJ+BH#f2Hz R�]gz�H
��}�@�,�"`�aq��%O!HH�J_q!]X�uHq�bFma�V`m8g�5Tc.wzm*Lb���:%��4W?FWZ']�~ޏ�vR�y` �s�_g;^R-�e\v4�kat<��\q5�p�_[B/�ZΕ{[|p;w��fc�Y�0mD^�/D,%b
y/́l6&ٱfm]$5�?hVroO�.`�l�j;-0�'�EQ2Z\gv+Zvm,ѩ@Wi*e�Zf}-�g)(փf>tQ�Am�@ɼW�¡Hj:!RJD:`�W
3VD)�2;�J63Lh`�p�7�DRX�NVȓ�I�u�1�A�p�\|@QX^_N3�g�-N�Ə/Wkd=I^'F��v���j=��Tw߁^B�V!�Wp@
aL:�Ul#;CyҸ�l`^�tq"o��(29#z�X67
~V�xrڜLv�^'F�+� 3cьJCMwȭ!n1F�M�ۻ�߿@�*�O2Yl
oLq�ì�fo!۟`2ۍ�yko1q!.GGa0cD% `Mg�NpAx�H)LE||%k��;3��GM�1r~�x�*Ɲ@ |2��;?�A�F�aw9Ƕ�,xVG1�R,o�}���VM �BaD0Ə�-c�1�ʵm )fFlm@�[L[ao=!v)Զv𥽛 J�.қݝ�AfnDMu
ܯG܀�g�E�8a���cIHʞ8���[+x6_j���~��R.gI*�] ��013���òZߩVPJj\=w(9 :}yjUS*ZYQ#�U*ΚTɭF5���
K.�kXGl?̋1�K%XSt^Gp�=X2x��%:0Y.6飏ji/�
1 ]�8=�D�!��+j1;
w5kov�dɹY��K`�� +^Rc"W6��&`9ӹ� M:u_ac�i?t�]k�tK�s>н_��m8+�1/VwWۏS�l�I4-^a�;%U$d[i4K$¨ӔCJO`��r;cG�±@�4@G�"ͨa8TJ�; J}�J�0+�ǘwZHUk�|Tbx�v�IaõW1儔v�JzN۠ő1�iL(Zrձ8�Ř�x�a*1aN
eզٝ$7�zg�F]�9|BVU�ߞ&ru�Y�*�_�Dh�_�-i��3:�&`yM
��1.�o
Qrj$ǷQp�
oG_
�6f^ZGZQ!IG)}o<�k#b2z�ވ��qGo5D�;���
joE�ֹIz# ,@�eꊍ\D�x5�6��:iF\zW~uC��{�>�p稯-d#�uܛF"@_�q�f,Ԙ8@1^c�`]Q
s�6<�a�]ąي�1%χ\oX|J7��;�>�BZ��s4e��?�/=X)`�#}~�!����L�
DĤ"c�*41GJ[#�}_s�mǤ\Z̈́px�XҚ0!,���YC) Q?�\Ϣ"�n#BLk4�3DDc�͈ )8"gl'��ELn1J�K\-B@e=D�q�yy�<};ů@�QR"��tQ.�(�� �I�YP[,(Ϗpk'�%a/xo$S�L\f�����F�"O=x�}:;
j�ܕiV!5l<0
0k�Y:o�N���*r$��P#:ς��Qغ�PdG(U�}#c�.�.2/9IR<��9k픊�,eK�"~�)�P��P
g��~-2&B�@^~ kL+ťW�*7׳KT썆cn%:@b�a �c|:�,y&F��e��^>&c����˼$=)>w�懤I��x]"&JR˯-cENj9.~QJxdR$h{U2�6#�{"tn{�"X�
½p'�eybn�AR-c�#C~�L(���(W].�6pqSݮ' 5`
�nsOkr>u2[~|^YlفGh�/k6:�5Q3[� ÈC?�s
H�z!o�C/+O�g�5>?ܶ�Һn\
n�[3
쓭/>AͷDV�)pF ;F,R+|c ,~Q�?Ѱs�3@�z:}K@$?��,@���$5͇RiE�rT)N?Jnx}pDDd�1Xj�UUEVr�o�VVK
D`q9#��RB�4|O״W)]7tSsc<{�+4�аY-}�"z5����[xcDy�+c�AV7�/��^"_�v3&mc�(2��)xf�b�b�ˈTbT|Jx�^s/�q)
߄^Vٍv"n�<4w�z:1e��@4ǽaƹrV�0�@���z4}�z<8�J)YF
�
T z0}G%�`"�9�oٔ^^CN��΅'*˗ X62�3t��^�D�`˫iBO$uMG{vm�X�?�ap;�b2�
B�j�W�ԃ`ƨ�f\c^c��v�VAgL3SY,�> ^_d�v�O~%�B+π��8>eC;gI2T~kJ=*P�=eZR]�~"�,gIo=G}g_V�e�ńK�!l;F>^I;.~m&� ]*�$Cb9G8]!
""_S�a�^5{\6LDR��}A�0~N}�v0A9DePޅ!/{vcSF)f��'^Fp)N�<}q?٢�u+�ğoqml�.�;�+C�&:bz:SA\W �(9|�x@ΙlMlmjīc� :|�?��O�e Lt8/o90�kn>wQ$�L{��i�zQ�ZteVb0
�yMvSFߟ�2"�L�+� �Ԧ?MkSw(\*],1Ał?�qLwf\��t
23Q��*Ԯm�x;9[ԋO0xm=еhOY=�m|h[d-�^FLm`H{!}R>Ŕ+�
]'[ۧ3�й?-{�w/���e{�n:_��{��QFb�F]9N]Rnãō-,c<=�ԭ<�P0��@~m.vz}�nJQXƦa#�¾u4mo��/+��6
�%/߷�3qݼ}E>+�Ѝ
�/|3'
ȱ��gb@x��m{~k�C'> �:y!}ő,,�L[녗O?8�C�7Ѱ0�L�,luE�G%��RRNCc
�0F �c:p2
19-O)xI1%h3l䃈mAb�?�<Ƶ-caG?ܝ-X)��O2�LdzU.]�Z�12Mo,gkV�"�K�0�G.�=��z��k|F솎XK�z\MljkÐ{y0ѕDM1F(ͧ,1gYR���v2<~v�m�.3J�bQ'.k_O�w1X7u㞗5ypݔ�m�EKBӽm �D>Ml_O��uO+_1dF[Wy�&F�2kV*w�^㛼VtƦ�I:1qzr�.=xaL셳Qbئd�Ui2�9Z{) qU֫/EiQ}*'
Cfan-nǝl| �n%96L]_�[�
P�X/(��
|
Network Security & Hardware 
