Its Easy to Infect
a Target System"> The paper describes how easy it is to get the VM-based malware on a target system. For example, a code execution flaw could be exploited to gain root or administrator rights to manipulate the system boot sequence."Any code running within an attack OS is effectively invisible. The ability to run invisible malicious services in an attack OS gives intruders the freedom to use user-mode code with less fear of detection," the researchers said. The group used the prototype rootkits to develop four malicious servicesa phishing Web server, a keystroke logger, a service that scans the target file system for sensitive information and a defense countermeasure to defeat existing VM-detection systems. The researchers also used the VM-based rootkits to control the way the target reboots. It could also be used to emulate system shutdowns and system sleep states. While the prototype rootkits are theoretically offensive in nature, the researchers also discussed ways to defend against malicious use of VM. Where are rootkits coming from? Read more here. The group suggests that hardware detection is one way to gain control over the lower layer to detect VM-based rootkits, pointing out that chip makers Intel and AMD have proposed hardware that can be used to develop and deploy low-layer security software that would run beneath a VM-based rootkit. Another defense technique the researchers proposed is to boot from a safe medium such as a CD-ROM, USB drive or network boot server to gain control below the rootkit. A secure VMM can also be used to gain control of a system before the operating system boots. It can also be used to retain control as the system runs and to add a check to stop a VM-based rootkit from modifying the boot sequence. Ziff Davis Media eSeminars invite: Learn how to proactively shield your organizations against threats at all tiers of the network, Symantec will show you how, live on March 21 at 4 p.m. ET. Sponsored by Symantec. "We believe the VM-based rootkits are a viable and likely threat," the research team said. "Virtual-machine monitors are available from both the open-source community and commercial vendors ... On todays x86 systems, [VM-based rootkits] are capable of running a target OS with few visual differences or performance effects that would alert the user to the presence of a rootkit." The threat is so real, the group said, that during the creation of SubVirt, one of the authors accidentally used a machine that had been infected by the proof-of-concept rootkit without realizing that he was using a compromised system. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Once the rootkit is installed, it can use a separate attack operating system to deploy malware that is invisible from the perspective of the target operating system.