Microsoft Research Warn About VM-Based Rootkits 336
Tenacious Hack writes "According to a story on eWeek, lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and maintaining control of a target OS. The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation. Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system."
Why is microsoft researching this? (Score:3, Insightful)
Then they can force linux to perform worse than Windows and nobody will be none the wiser.
Except when you boot into linux and then you get a blue screen it will give it away lol.
Of Course (Score:3, Insightful)
i was under the impression (Score:3, Insightful)
i'd imagine the vm would have quite different performance patterns for some operations than the real machine. it would also pretty much by definition have to have slightly less ram.
translation (Score:5, Insightful)
Kind of a sneaky advertisement, isn't it? Instill terror to sell vendor lockin hardware and operating systems. Maybe even get a law or three passed. They sort of gloss over the "get the rootkit there in the first place" part, don't they?
Performance Degration (Score:4, Insightful)
There might also be driver issues that could tip you off something isnt right. May not know what, but it should be apparent something is amis. It would have to emuate all the hardware that you had installed at the time of infection, unlike something like VMWare which presents a 'standard' ( but different ) set of hardware devices. Thats a prety tall order to pull off.
Re:Why is microsoft researching this? (Score:5, Insightful)
Honestly, this sounds like the kind of thing they'll think of so they can use it as a reason that all computers should have DRM build into the chipset, which plays right into MS being able to justify why all systems should follow their boot rules that allow only Vista to run. It's just laying the groundwork to force the exclusion of anything but Vista being able to be booted on future systems.
This is also the kind of thing that I don't think many black hats would have come up with on their own due to the amount of research. MS continaully says it is irresponsible for people to publish info on exploits in Winodws before they can patch them, yet they've just gone and published what could be one of the nastiest exploits of any OS to date. If they're doing this, it's for a reason, and experience tells us MS's reasons are good for them and bad for everyone else.
Re:Why is microsoft researching this? (Score:3, Insightful)
Re:I say we take off... (Score:4, Insightful)
Your virtual machine could flash your BIOS without your consent. Then you're boned. A bootstrap doesn't require a lot of space.
Oh fuck me - the next step is a VM rootkit that flashes the bios to keep a VM rootkit.
Virtually. (Score:2, Insightful)
examples:
I bought 4 GB of ram and a 400 GB drive, now I have 1 GB and 150 GB drive (with 250 GB overhead for mail and porn).
My Ultra-Monkey quad SLI Nvidia 9999 video card with 1 GB of ram now shows up as a 16 MB S3 Virge card, WTF?
My Comcastic experience is now more like my old netcom dial up account but the cable modems lights are busy.
Its really good to see Microsoft concerned about security, but I hope they will stop looking at how elaborate the hacks could be and focus more on why this crap
can be done in the first place.....
Re:rootkits? (Score:3, Insightful)
Where do you put the checksum? On an external hd? On the system? What's preventing the rootkit from replacing the checksum? A checksum of the checksum? If you don't allow the checksum to be replaced, how do you upgrade?
Holy Crap! (Score:3, Insightful)
Seriously, whipping up your own VM that will run $HOST_OS is nowhere near in the same league as, say, hacking together a VBS macro in MS Word or similar...
Re:Why is microsoft researching this? (Score:3, Insightful)
Not everything is a conspiracy. In fact, very few things are.
Re:Why is microsoft researching this? (Score:1, Insightful)
They might have better things to do than that, but it doesn't mean it will stop them doing it. No windows nearmy boxen thank you.
> Besides, you should know how to audit your init scripts and copy your boot sector to a file you can check the md5 of at
> boot. If you dont know how, its your fault.
Always blame the user. mabey you will have someone break into your house and then they use the excuse "You should know how to stop me getting into your house. If you don't know how its your fault". So blame the victim and let MS off scott free? That's the attitude that let them off with no monopoly punishment. Just remember not to call the police next time.
Re:i was under the impression (Score:3, Insightful)
With a perfect bug free VM, neglecting slight performance differences that may or may not be detectable, you pretty much have to scan the compromised hard drive by pluggin it into another pc (as unbootable of course) running a clean os to detect it (or at least thats my understanding which could be wrong :) )
Just one problem: (Score:5, Insightful)
If your current operating system and security measures are good enough, such rootkits-with-virtual-machines are not even going to be able to be installed, heck as long as you don't have to login as administrator to print out a document or surf the web, you're pretty safe.
And as soon as you notice your box could be r00t3d, you take it out anyway and don't trust it. And if you don't notice one of your boxes is generating extra traffic or doing things it shouldn't, you shouldn't have to have admin privileges anyway.
Re:Conclusion from Paper (Score:4, Insightful)
If the bastards already have enough access to be downloading and executing code on your machine, it is trivial for them to crash your box and make you reboot... assuming they can't just reboot your box out of hand.
Notice how one of their solutions is secure hardware?
I think we know why MS is funding this.
Re:I say we take off... (Score:3, Insightful)
Flashes your bios, writes your boot blocks, patches your microcode, wash, rinse, repeat, all that's left to do is nuke it from orbit, as the other guy said....
C//
Re:Link to research paper (Score:5, Insightful)
Almost trivially.
The whole point of TCPA is that "trust" is built in to the machine in a fundamentally inaccessbile (to the user) way.
What is needed to defeat rootkits is to allow the user to trust the hardware. This is totally different from application vendors trusting the hardware.
Here's an extreme example: hook a logic analyzer up to the BIOS. Look at the nice bits go by. See if they match expectations. If not, you've been rooted and had your BIOS flashed. "Expectations" are stored in a separate device.
The issue here is strictly one of treating a computer as a fully self-contained block of hardware and software that no one is allowed or able to look inside without going through the terribly civilized interfaces. The solution is to say, "Fuck the fucking interfaces, I'm going to fucking look at what is on the fucking bus." Not civilized at all.
I've debugged embedded code this way, by hooking a logic analyzer up to the hardware and watching the bits go by. It's educational. It would be simple to build this kind of exposure of hardware internals in to the motherboard, to make it easy to plug in an external integrity checker to ensure that the basic state of the machine is as expected.
"Trusted" computing is all about hiding the hardware state from the user. Beating VM-based rootkits is all about exposing hardware state to the user. The two are diametrically opposed.
This will blow you off your chair (Score:5, Insightful)
This may very well astonish you, but such sophisticated infection mechanisms already exist and have already been demonstrated. See this rootkit concept overwriting your BIOS [ngssoftware.com] to create a permanent backdoor.
Note: removing the CMOS battery will not destroy this rootkit because the CMOS battery erases the NVRAM, not the BIOS flash chip. The only known way to recover from a BIOS rootkit is to reflash your BIOS... but what if the rootkit is intelligent and tries to re-corrupt the new image being flashed ? This is a possibility. In this case your only option is to physically change the flash chip with a known good one. And don't forget that a modern computer has a lot of flash chips that can theoretically be infected: hard disk firmware, video card BIOS, DVD drive firmware, etc.
Re:Why is microsoft researching this? (Score:3, Insightful)
"Genuine Advantage for Vista" seems one possible application. So, what were we saying about the "Signs of the end times"?
Re:Why is microsoft researching this? (Score:5, Insightful)
Ummmm
Re:Link to research paper (Score:2, Insightful)
Parent "You don't know anything about TCPA. The whole point is to do a 'trusted boot' so that the state of the machine can be known and reported in an unforgeable way. This allows both users and remote parties to know that the machine is running a certain configuration, with no rootkits or malware installed."
No, you're the one who doesn't understand TC. When you boot a computer that complies with the whole TC spec, you have no idea what it's running because you can't trust the software that purports to tell you about it.
To boot into trusted mode, you have to be running signed binaries provided by the holders of the attestation key. They may claim to give you source but you can't verify that it's the source of what's running because you can't compile it and replace the signed binary and then get into "trusted" mode.
Therefore you have no idea what the software is doing, no control over what it does, and no way to verify whether it's telling you the truth about anything. It's true that "the state of the machine can be known and reported in an unforgeable way", but the claim that "This allows both users and remote parties to know that the machine is running a certain configuration" is your lie. Only to the key holders is the state known. Non-key-holders including the owner of the hardware are shut out of this knowledge and from control of the machine.
You're either ignorant or a corporate shill. Your phrase "with no rootkits or malware installed" invokes the "big lie" of so-called "trusted computing", the idea that it protects "security" for the owner of the hardware. In fact it abolishes the possibilty of security for the owner of the hardware. TC itself is the ultimate trojan for the reasons explained here.
Re:Why is microsoft researching this? (Score:5, Insightful)
Re:Just one problem: (Score:1, Insightful)
Re:Just one problem: (Score:3, Insightful)
Since admins running Unix-like systems mostly operate as non-root users, wouldn't it then be possible for a malware to lurk in the background of the non-privileged sandbox until you sudo/su and then for it to use the newly gained privileges to wreak havoc/gather intel and hide itself? In a non-root sandbox the malware process would likely show up in the process list, but who can honestly say that they check the process list each time before they become root? Also, a malware naming itself like a common process (or the same as a process which already occupies the list) like bash for example, would make a casual glance likely to disregard that listed entry.
Disclaimer: I don't pretend to know the intrisinct details regarding privilege escalation in *nix, so this thought might well be nothing but nonsense.
Re:Stephen R. Donaldson of all people. (Score:3, Insightful)
The Gap is also interesting because it's based on The Ring of the Nibelung (I think) and explores the concept of obtaining and losing absolute power (with omni-corporation instead of omni-being) and the exploration of victim/villain/rescuer and how they trade roles with each other during the story. All in all it's a fantastic story.
Re:I say we take off... (Score:4, Insightful)
Well, if you take a suspect disk, put it in a clean machine and then boot from the suspect disk then you're not just boned.... you're too stupid to be an investigator.
Re:I say we take off... (Score:3, Insightful)
Support for new CPUs that didn't exist but are perfectly compatible with the chipset.
The BIOS does more than just load the OS. It sets up the chipset as well. Some of it in ways that the OS can't do anything about easily. There are a number of settings in the chipset and CPU that require a reset to take effect, so your computer likely resets a couple times before you even see the BIOS screen.
All of this has to be done by the BIOS, and if theres a bug in any of it, you need to update the BIOS.
Re:Why is microsoft researching this? (Score:3, Insightful)
please, be fair. first, it's not like MS released a rootkit. they just did a proof of concept internally. second, it's sound engineering to figure out how a system can be exploited before it actually is. that allows you to prevent the problem before it occurs in a malicous context.
if MS had kept this to themself, then there'd be a story here about how MS is keeping known security flaws private. i've seen that exact same criticism of cisco systems on here before.