Microsofts twice-yearly BlueHat hacker summit, running Oct. 19-20, will kick off later this week with a demo of a virtual machine rootkit that can potentially be used to defeat the controversial PatchGuard technology.
Dino Dai Zovi, a principal at penetration-testing outfit Matasano Security, has been invited to Microsofts Redmond, Wash., campus to showcase a hardware VM-based rootkit called Vitriol that piggybacks on Intels VT-x virtualization extension.
Zovi, an expert on exploitation techniques, 802.11 wireless attacks and operating system kernel security, will demo the rootkit at the conference, to which select members of the hacking community are invited to brainstorm security issues with Microsoft employees and executives.
The Vitriol presentation is an expansion of a talk given by Zovi (here as a PDF) at the Black Hat Briefings in Las Vegas in August, and will include a technical explanation of how Intels VT-x extensions can allow malicious hackers to install a “rootkit hypervisor” that invisibly runs the original operating system in a virtual machine.
Zovi plans to demonstrate how the Vitriol rootkit can migrate a running operating system into a hardware virtual machine on the fly and install itself as a rootkit hypervisor. The malicious code becomes inaccessible to the operating system, maintaining stealth and controlling access to the malware.
Zovi, in a blog entry, claimed that hypervisors can also be used to bypass PatchGuard on 64-bit systems, but Stephen Toulouse, a security program manager for Microsoft, explained that PatchGuard prevents modification of the data tables and is not meant to detect hypervisors.
“In this case, there is nothing [from Zovi] to indicate the attack is even trying to modify the kernel itself, and I confirmed with Matasano thats true,” Toulouse said in an e-mail sent to eWEEK. “Vitriol doesnt defeat kernel patch protection,” he added.
In response, Zovi cited “confusion” around how or whether hypervisors can bypass PatchGuard and stressed that Vitriol is not an attack against [a weakness in] PatchGuard itself. “[It] is more a demonstration of how a hypervisor controls the entire universe in which an operating system runs and can mislead or lie to any operating system running inside it, thus defeating security defenses running on the guest VM,” he explained.
Microsoft officials declined to comment on the BlueHat schedule. According to sources familiar with the companys plans, BlueHat v4 will feature a roster of well-known white hat researchers specializing in OS kernel hardening, database security and application threat modeling.
The source said the company is looking for “new faces” to talk at the two-day event. Researchers who made presentations at BlueHat v3 in March 2006 are being invited back as attendees.
At the Spring 2006 sessions, the roster of presenters included database security experts David Litchfield and Alexander Kornbrust, Web applications security researcher Caleb Sima, Metasploit founder HD Moore and reverse engineering guru Halvar Flake.
Moore, Flake and Kornbrust said they will not be attending the sessions this week.
Zovis virtual machine rootkit presentation comes on the heels of a Black Hat demo by stealth malware researcher Joanna Rutkowska of Blue Pill, new technology that is capable of creating malware that remains “100 percent undetectable,” even on Windows Vista x64 systems.
Rutkowskas Blue Pill prototype uses Advanced Micro Devices SVM/Pacifica virtualization technology to create an ultrathin hypervisor that takes complete control of the underlying operating system.
Rutkowska, who also showed off a way to defeat the device driver signing requirement in Windows Vista, told eWEEK she has never been invited to speak at Microsofts BlueHat.
Microsofts own Cybersecurity and Systems Management Research Group has also created a proof-of-concept rootkit called SubVirt that exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.
This story was updated to include comments from Microsofts Stephen Toulouse.