Forgot your password?
typodupeerror

Joanna Rutkowska Discusses VM Rootkits 105

Posted by Zonk
from the not-ready-for-it-cap'n dept.
Unwanted Software writes "There's an interesting interview on eWeek with Joanna Rutkowska, the stealth malware researcher who created 'Blue Pill' VM rootkit and planted an unsigned driver on Windows Vista, bypassing the new device driver signing policy. She roundly dismisses the quality of existing anti-virus/anti-rootkit products and makes the argument that the world is not ready for VM technology. From the article: 'Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.'"
This discussion has been archived. No new comments can be posted.

Joanna Rutkowska Discusses VM Rootkits

Comments Filter:
  • Hmm, I guess this 'expert' doesn't realize that virtualization in hardware has been with us since the 80386 first came around. It handled a virtual 8088 quite nicely....
    • by AKAImBatman (238306) * <akaimbatman@[ ]il.com ['gma' in gap]> on Friday October 27, 2006 @04:40PM (#16615010) Homepage Journal
      I guess this 'expert' doesn't realize that virtualization in hardware has been with us since the 80386 first came around.

      Virtual 8088 mode was not comparable. The 8088 virtual machine was entirely controlled by the 80386 software, and was not able to affect the 80386 in any dangerous fashion. The best one could have done was build an 80386 program to "rootkit" an 8088 Operating System. Considering that the OSes of the day (e.g. DOS) didn't have security to begin with, I'm not sure what you would have gained.

      Modern virtualization allows for a machine on top of a machine. So I could, in theory, place a controlling bit of kit above your Operating System where it can't see it, can't modify it, and can't realize that it's being toyed with by a rootkit overlord.

      Of course, the Blue Pill may work a bit different. I haven't studied it. But there is at least a potential for abuse here.
      • In the Intel world, maybe. But the 68020 was self-virtualizing, though it required an external 68851. The 68030 was fully self-virtualizable without an external MMU.
      • Modern virtualization allows for a machine on top of a machine. So I could, in theory, place a controlling bit of kit above your Operating System where it can't see it, can't modify it, and can't realize that it's being toyed with by a rootkit overlord.

        I don't see how that is possible. If something is running on top of the OS, it should be subject to the OS.

        Something running beneath the OS would be able to control the OS.

        The "Blue Pill" stuff she's talking about starts above the OS, but then it (supposedly)

        • Wouldn't that be "beneath" it?

          Beneath it, above it, outside of it, however you want to describe it. Yes, the malicious rootkit would be the host, and the regular OS would be the client. :)
          • Yep, the rootkit is the host OS and it runs the original OS as a guest OS, on a virtual machine.

            I just don't see how she can accomplish that. And accomplish it in an undetectable fashion. Particularly given the state of hypervisors today. If it's difficult to do in a controlled environment today (run Win2003 with SQL 2005 in a hypervisor on Linux and see what hoops you have to jump through and what your performance is) I don't see it being a threat in the wild.

            Seriously. If she can do this, then she's just
            • Re: (Score:3, Informative)

              by Sancho (17056)
              It's not really that easy.

              The way the rootkit works (and this particular MMU in general) is by allowing direct hardware access to the virtualized host. That is, under the rootkit scenario, if Windows makes a call to the video card to do anything (from getting EDIC info to rendering 3d), the MMU passes the request directly to the graphics hardware. Windows still needs to know how to talk to the hardware--because Windows uses a driver to make the call.

              Only a few instructions must (by design) be trapped and
              • It's not really that easy.

                That's my point. She seems to be saying that this is easy. And that it is undetectable.

                Yet when I start pointing out the obvious benefits of her system, suddenly it isn't as "easy" or "undetectable" as it was before.

                Because the "guests" can talk directly to the hardware, all of your devices are theoretically supported, as long as your client OS supports them.

                No. When the guest OS's have direct access to the hardware such as the video card or network card, the "threat" breaks down.

                I

                • by Sancho (17056)
                  It still depends on a lot of things. You say:

                  If my "cracked" OS has direct access to the NIC, then I can monitor what is sent over it. I can tell if the "Blue Pill" has cracked my box and is calling home.

                  Maybe, depending on how much and /what/ the MMU is hiding. For example, current rootkits may hide their processes, may patch netstat to hide sockets, and probably does this through hiding syscalls. A rootkitted MMU could use a the system's drivers and syscalls to do the dirty work, just like a standard r
                • How the malware instruments the system is to place traps in code paths of the guest system. So the hypervisor could temporarily take control during a TCP/IP queuing operation and copy buffers into it's own personal private area... and it could leak that information out later (replacing "leaky" outbound backets, say DNS or ARP, with this key information before they get checksummed).

                  You could detect this using timing tests, but it's not reliable. You need a good "before" profile which may be impossible to obt
                • by aminorex (141494)
                  You seem to be describing systems before the VZ ISA extensions were incorporated into chip designs. I guess "easy" is always going to be subjective and arguable, but "conceptually simple" and "practically feasible" might be taken to add up, when both are applicable, to "easy". Yes it requires a skilled practitioner. No, it does not require anything non-obvious to a skilled practitioner.
              • by kscguru (551278)
                One possibility is that the rootkit directly passes through all hardware - that's the "native" case (and actually required ... changing out the underlying hardware model while an OS is running is just short of impossible).

                Except ... she's wrong. Once you pass through underlying hardware, you regain the ability to detect the rootkit. How?

                For each page of memory:
                DMA the page into a buffer
                Compare that page against what reads to that page see

                If you ever find a difference, you're either in a hypervisor,

        • No, because then it would be an invisible rootkit underlord.
      • by Salsaman (141471)
        Why would I want that ? My systems run just fine without "virtualisation", and often times I need to access the hardware directly.
        • Why would I want that ?

          You wouldn't. The virus/rootkit would. The fact that the features exist are enough for it to exploit. If you were already running virtualization, you'd probably be safer.
      • by retro128 (318602)
        Modern virtualization allows for a machine on top of a machine. So I could, in theory, place a controlling bit of kit above your Operating System where it can't see it, can't modify it, and can't realize that it's being toyed with by a rootkit overlord.

        There isn't a great deal of information about how it actually works, but from I've been able to read from the author's blog, apparently when Blue Pill starts up it's able assert itself as a hypervisor and force the OS into running as a VM - dynamically, witho
        • by cookd (72933)
          Think about VMWare -- Windows doesn't royally freak out when it is running as a VM under VMWare.

          The hardware issue is very different for a rootkit versus VMWare. VMWare has to virtualize the hardware so that it can redirect the guest OS's calls to the host OS and make it play nice. A rootkit doesn't have to do this. It can let the "guest" OS directly access the hardware.

          The rootkit doesn't have to help the guest OS share the hardware with another OS. All it has to do is hide itself and watch for interes
          • by retro128 (318602)
            Think about VMWare -- Windows doesn't royally freak out when it is running as a VM under VMWare.

            But it would if you changed it from a host OS to a guest OS without rebooting it. Or even if you did reboot it for that matter. That's what I was wondering about.
            • by cookd (72933)
              How is it even going to know? Nothing really changes except that the processor is now in the VM mode. Since Windows doesn't look at the VM mode bit, as far as Windows can tell, nothing has changed.

              Not to say that pulling this off is easy... Just that the challenge is not in fooling Windows or preventing it from freaking out.
              • by retro128 (318602)
                Well, this is where my ignorance of the inner workings of CPU-based virtualization comes in. I thought that perhaps VM mode on the processors might abstract a common hardware set a la VMWare. ie. Let's say you're running on an Intel 975 chipset and now all of a sudden it switches gears and turns into a BX chipset on the fly. That's what I'm talking about. But the more I read, the more I gather this does not happen, and identical hardware is "emulated" in VM mode on the CPU.

                With that said, you'd think the
                • by karlm (158591)
                  If you think you can always recover (or even decect) a compromise once the kernel has been commpromised, you're fooling yourself. All of this complaining is just knee-jerk reactions to suddenly discovering that the emperor has never been wearing any clothes.

                  The correct way to fight blue-pill would be to create a minimal hypervisor that always runs under windows, and only prevents new code from joining it in hypervisor mode.

                  Adding an instruction to check if you're inside a VM, without having that instr

      • by Cyberax (705495)
        Back in 90's resident anti virus programs were quite common. There WERE ideas to create a virus which will throw everything into virtual 8086 machine, but it was unfeasible because almost all programs used direct access hardware and it was impossible to virtualise it correctly.
    • by njdj (458173) on Friday October 27, 2006 @04:42PM (#16615048)

      Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early

      Virtualization was used in commercial machines as long ago as the early 1970s - IBM's VM/370 product was announced in 1972. The amount of hardware assistance for the virtualization depended on the 370 model. But this was the same kind of virtualization as recently introduced by Intel. You could run multiple different IBM operating systems under VM/370, and you could even run VM/370 under VM/370.

      • by timeOday (582209)
        But there is an enormous difference between the computing environment of a mainframe in the 60's and a $250 PC today. I would daresay that not only is the PC much faster, but it lives in a MUCH more hostile environment. And instead of a professional staff to configure and operate it, you get... not much.

        That said, I don't understand the new virtualization features anyways. I'm a longtime VMWare Workstation user, and was hoping for a big performance boost due to hardware virtualization support with my n

        • by Sancho (17056)
          My wife just got a new Macbook. I haven't put Windows on it natively, yet, but I did try Parallels. Saying that I felt like I was running native Windows would be an understatement. It was the snappiest "emulation" I've ever seen.

          Frankly, I was expecting to be disappointed. Parallels seemed like a lot of hype. Not so! The only drawback is a lack of snapshot support, which I feel is somewhat necessary if you're doing development.
          • by Extide (1002782)
            I use VMWare daily for work, and I can tell ya that v5.5+ is amazingly fast. It sure feels as fast as running native. Previous versions of VMWare (5.0 and below) had some noticeable lag. I do support for LANDesk, so I need to have ~6-8 VM's running on a box at a time, usually 1-2 clients are XP Pro and the rest 2003s running a LANDesk core and MSSQL database. This stuff can really bring a modern day pc to its knees quickly. So far what I have found is that disk I/O FAR outweighs the CPU as a bottleneck in m
            • by Sancho (17056)
              That's a fair counter. I can't claim that VMWare isn't good--it is. But to really test it, I'd need to use Bootcamp on my wife's Macbook--something I don't think she's particularly interested in!

              I use VMWare daily at my job, too (Linux is the host, though). I only have 1gig of RAM, so that's probably my limiting factor. Nevertheless, it feels more sluggish to me than the Macbook does.

              Relative specs: P4-3.2GHZ vs CoreDuo 1.87GHZ, 1gig ram in each machine, slightly faster hard drive on the Linux box. I
      • Abd the 370 was the second generation of such machines, the first implementation was on the 360
  • Nothing for you to see here. Please move along.

    Gahh, NO! You can't force-virtualise my mind!

  • One of the questions there is
    Why should we be worried about stealth malware? Do you see this as a big trend going forward?

    To which we received only a half baked answer. Why didn't she say more about this?

    Personally, however, I think it's mostly irrelevant to discuss whether this going to be a big trend or not. It's not about whether 100 companies or 100,000 companies are going to be infected next year using targeted, sophisticated attacks using "Stealth by Design" malware (i.e. one which does not creat
  • It's my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.

    I could give a damn what the major operating system vendors are unable to do. I'm more worried about what the hobbyist operating system authors are able to do.

    • Isn't that kinda her point? She is trying to underscore the fact that the major O/S's haven't utilized these features and that someone else might... and it could be for less than noble reasons.
      • by drinkypoo (153816)
        No, what I'm saying is I could give a fuck if every windows and mac system in the world is compromised and rooted. I don't have any data I want to keep private on my work computer, and my home machine runs linux. :P (Also, it doesn't have hardware virtualization features, heh heh. But I'd feel the same way if it did.)
        • by bigberk (547360)
          You're going to care a lot more once all those infected zombies eventually clog and spam the internet to the point where the global hostile environment impedes upon your own use. Does email spam bother you? You are getting that spam because of infected windows hosts. There are no more UNIX open relays. That spam is coming from worldwide windows installations.
    • I think that is taking a somewhat simplistic perspective. It doesn't really matter whether the major OS products make use of virtualization. The entire point of a successful rootkitting is leaving no visible trace of your presence. A well crafted rootkit would take hold from the bootprocess, virtualize the environment and then load the operating system. Thus - who cares if Microsoft, Linux or Apple makes use of virtualization, if the rootkit detects an appropriate target loaded into its context ... BAM,
  • I would say that few, very few are actually using the hardware virtualization. For that matter, VMWare (or other VM products) are still not considered main-stream. This author is accurate on her assertion that this technology may have been released early.... at least in the extent that there is little other technology that makes use of it.
    But honestly, isn't that what drives a market? I know that the jury is still out on this specific technology, and it may never see its full potential... this isn't to s
    • by shawnce (146129) on Friday October 27, 2006 @04:38PM (#16614986) Homepage
      I would say that few, very few are actually using the hardware virtualization.
      That is not her point. It doesn't matter if software does or not exist exists that uses the capabilities of the hardware.. the issues is that operating systems are running on hardware that has virtualization capabilities built-in but the operating system aren't really tooled to properly secure this capability to prevent it being used to subvert the operating system.
    • by spun (1352)
      We use VMware on IBM Blades. Very many other businesses are doing the same. All the CIO management rags are all abuzz over VM. Your workplace is indeed a little behind the times.

      You do know that it doesn't matter if people are using hardware virtualization, right? All new Intel and AMD chips have it, whether you use it or not, it's there for a rootkit to exploit.

      There are several other VM packages that also use the hardware VM. Xen is one, and it's open source. And in any case, it's not about how VMWare or
      • Re: (Score:3, Informative)

        by Foolhardy (664051)
        Have you seen Clock in a Linux Guest Runs More Slowly or Quickly Than Real Time [vmware.com]? It can happen when the 2.6 kernel requests more interrupts for the purposes of clock updates than the host can provide, especially if the host is Windows. The kernel will try to compensate for lost ticks, but this doesn't always work correctly. The main solution is to set the clock interrupt rate back to 100Hz like it was in the 2.4 series (requiring a kernel recompile).
        • by spun (1352)
          Thank you! This is going to really, really help us here. I've tried the other VMware recomended solutions like using the VMWare tools clock synch feature with no luck. I will definitely try this.
        • Even then, I've experienced problems with it. On the Intel box at home, Workstation runs absolutely perfectly and keeps flawless time. At work on the AMD X2 box, you can feel a vacuum from the temporal displacement going on there - it will gain at least six hours per day, and I've tried everything I could find, including the link you offered. I eventually ended up just working around it by re-syncing anytime I did a build at work, and practically it's more of an annoyance than a real problem.

          From what
          • by TheLink (130905)
            Set your kernel to use idle=poll

            Your cpus will run warmer, but they will be in sync.
      • by martinm_76 (22905)
        On my Linux machines using 'clock=pit' as a boot option is all it takes (and then letting the vmware tools sync to the host, of course :))

        I didn't see this mentioned in the other replies so I thought I'd mention it.
    • by Sancho (17056)
      Every Mac has hardware VM in it. I'm not sure, but I believe it's on by default, too. Just because the OS or user doesn't use it, doesn't mean that rootkits can't.
      • by Firehed (942385)
        Which is why it's a good thing that a whitehat discovered the flaw. My understanding is that she alerted MS and Apple so that they can make apporpriate changes to their OS and patch the hole (in effect, basically initialize the VM during boot and keep it reserved until a valid request is made, in effect just beating the rootkit). Steve Gibson and Leo Laporte explain [www.twit.tv] it a bit better than I can.
        • by jesboat (64736)
          What happens if some virus overwrites the portion of the OS responsible for reserving the virtualization? It becomes just as undetectable on the next reboot.
    • It has more to do with concepts like Xen 3+ or VMWare ESX server, specifically.

      On your hardware assisted virtual machines, your guest OSs run "native", in that you can give them access to actual hardware and they directly manipulate page tables. A hypervisor makes it possible for more than one guest (with an associated group of tasks, GDTs and LDTs, etc.) can feel like they have the whole box. You can emulate hardware that you can't or won't dedicate to each guest (say a common network interface, iSCSI volu
  • by mmell (832646) <mike.mell@gmail.com> on Friday October 27, 2006 @04:36PM (#16614956)
    It starts as immature technology. Sure, you work with it in a lab for as long as you're able, but at some point you have to expose your work for all to see (and hammer away at).

    In software, we used to have a saying, "No program is ever complete, but it has to go to market sooner or later."

  • by adolfojp (730818) on Friday October 27, 2006 @04:47PM (#16615138)
    You are missing the point guys! I don't know who she is or what she is selling but if she is a geek and looks like this
    http://common.ziffdavisinternet.com/util_get_image /13/0,1425,sz=1&i=135407,00.jpg [ziffdavisinternet.com]
    http://static.flickr.com/66/206241643_d48861f49c.j pg [flickr.com]
    I am subscribing to her newsletter. ;-)
    • by Anonymous Coward on Friday October 27, 2006 @05:31PM (#16615812)
      Yeah, I'd root her box, all right. Penetrate her firewall. Invade her deep logic. Assert administrative privileges and disable all virus protection. Reconfigure her RAID array with a dedicated controller. Put new batteries in her UPS. ... Wait, what were we talking about?
      • by glwtta (532858)
        ... and disable all virus protection

        That one's not a good metaphor.
      • Re: (Score:3, Funny)

        by fbjon (692006)
        Assert administrative privileges and disable all virus protection.
        Now that is just vile.


        I almost feel like posting a lengthy rant on the immaturity of the average slashdotter, and the repellent factor it has towards women in the industry, like has been discussed before here. This post would be the poster child. But...


        .. I laughed too. Damn you, hypocrisy!

    • Hate to interrupt your private moments, but that appears to be a ring. ;)
    • by dubbreak (623656)
      Looks kinda like Rachael Leigh Cook in antitrust [imdb.com]. Wish I new some gui designers that looked like her.
    • by Nicolay77 (258497)
      I'll tell her:

      sudo do me a blowjob
    • by ameline (771895)
      I'm sure she gets this all the time. And I'm sure it wore somewhat thin very quickly.

      I wish I had mod points -- I'd mod you all down.

      Respect and admire her for the brilliance of her work -- leave the gender issues out of it.

      Oh, and remember -- this is /. -- not fark.

      • Lighten up. You'll notice that outside of the crude^H^H^H^H^Hplayful comments, she's being admired primarily because she is intelligent. Being attractive AND intelligent vaults her into a category that is often spoken of, but rarely witnessed. The fabled she-nerd.

        And if you think any woman grows weary of admiration, well...that's just plain silly.
      • Re: (Score:3, Insightful)

        by bigberk (547360)
        I'm sure what she dislikes is rude, immature male attention. And she probably dislikes people ignoring her or not taking her seriously because she's a woman (a well known phenomenon of gender prejudice in academia) ... but I'm sure she has no problem with compliments that point out, not only is she an intelligent and skilled researcher but she is also quite attractive. A fantastic combination IMHO
        • by smallpaul (65919)

          I'm sure she has no problem with compliments that point out, not only is she an intelligent and skilled researcher but she is also quite attractive.

          It is just as likely that she wants people to concentrate on her ideas and not focus on her looks. You're not in her head and neither am I. What we do know for sure is that it isn't going to offend her or other female readers if we focus on the technology issues. So why don't we do that and leave the catcalls for wrestling fans and strip club patrons.

  • I think she's mostly right. If you're migrating your OS to a chipset that enables virtualization, you bloody well better make sure code run on top of your OS can't take over and become the hypervising OS. I rather assumed that this was the case, but it seems I was mistaken. Upon reflection, I realize I have no clear idea of how the hypervisor is determined and what it takes to get code running in that mode. My laptop is running OS X with parallels using the VM technology to run Linux and Windows. I assumed

  • I have had a couple machines infected with non VM based rootkits. Those were bad enough. The only reason I caught them was binaries like netstat were segfaulting. A VM based rootkit would be awful. Servers could run for years with no sign that the host machine is infected.
  • Seriously, what major OS vendors?

    Most architectures other than x86 in common use today either have supported virtualisation for years or don't at all. In either case, the "problem" as described is unique to the x86-64 architecture.

    And there's only one major OS vendor there. Almost everyone else is using a kernel which by its very nature is open to all - so as soon as the issue is addressed, it will be available to all.
  • Just wrote a VM for the bios and reflash it. Any os installed will run under it and I will have full control. Kind of scary because it would be impossible to detect and malicious enough would be impossible to get rid of unless you throw the whole computer away.
  • From the article: 'Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.'

    If chips weren't available (publicly, not just a few samples to big OS vendors), the OS vendors wouldn't have bothered to even start t

  • by no_pets (881013) on Friday October 27, 2006 @05:01PM (#16615344)
    I must admit that my only experience in hardware virtualization comes from IBM AS/400 and RS/6000 environments. But, if hardware virtualization is (mostly) ready on the PC and PC OSes could make use of it, it could hurt PC manufacturers such as Dell.

    What I'm getting at is many families are getting multiple PCs in the house now. One (or more) for the kids and one (or more) for the parents. Most of these people are just browsing the web, checking email, low CPU usage things. What if, like on these enterprise class platforms, you could order one PC with a dual core (ore more) CPU, two (or more) keyboards, monitors, mice then slice up the processing power in two then run two OSes and basically have 2 virtual PCs out of the same hardware?

    It may not save money just running 2 virtual PCs but if it could run 3 or 4 it should save money once they get into mass production.
    Okay, this is slightly OT but someone mentioned that there isn't much use for this technology at the consumer level but I disagree. Of course a rootkit running on top of it all wouldn't be good.
    • Backstreet Ruby (Score:2, Informative)

      by foobsr (693224)
      You could have it for quite a time, just an example [demon.co.uk].

      But dou you honestly think that anyone would market that? Instead, overtime to buy multiple whatevers is proposed to be the best.

      CC.
  • Did you hear that? Something like the sound of thousand geek rushing to their bathrooms... Sorry guys, but you know it`s true :p
  • I don't use any anti-virus products to secure any of my machines. The reason--I just don't like their approach, which is to block only known malware.

    Riiiiiight... So, for fear of future threats, we should totally ignore current ones? Why do I not feel inclined to take advice from this person?

    Overall, she makes a good point about how vulnerable current systems seem to VM rootkits. I disagree about the recentness of VM tech (we've had it in the x86 line since the 386, and in Big Iron for almost half a
  • Blue Pill (Score:3, Interesting)

    by Jim Buzbee (517) on Friday October 27, 2006 @05:12PM (#16615502) Homepage
    There's an interesting feasibility discusison of Blue Pill Here [virtualization.info]
  • I was a big fan of VM, in particular IBM's version of it back in the 70-80s. It did exactly what we are seeing today - it allowed you to run multiple OS(s) of your choice AND depending on the hardware you had it gave various performance boosts via hardware assists.

    BUT, in the long term, I only saw it used as a solution to solving temporary problems. It was used often when customers were migrating from/to other IBM Operating System (DOS to MVS). It was used to temporarily house a new OS build while new hard
    • by foobsr (693224) *
      Quote from "z/OS Workload Manager: How It Works and How to Use It"

      The z/OS Workload Manager (WLM) component introduces the capability of dynamically allocating or re-distributing server resources, such as CPU, I/O, and memory across a set of workloads based on user defined goals and their resource demand within a z/OS image. Looking over the fence of the z/OS image the Workload Manager is able to perform this function also across multiple images of z/OS, Linux or VM operating systems sharing the zSeries
    • by Sloppy (14984)

      It will never be mainstream and always just be a solution available and appropriate for a few temporary problems.

      I disagree.

      The reason the mainframe virtualization of the 1970s didn't become "mainstream" was simply due to the fact that the mainstream can't afford mainframes.

      If a major player in the OS (or even server app) market decides to use virtualization as a security/compartmentalization technique, then use of the feature will spread like wildfire. It'll be just another feature like chroot or ja

  • The thing I don't get about the "blue pill" threat, is that I ass/u/me that you have to be running in Supervisor mode in order to install a hypervisor. True?

    If no, then it sounds like the virtualization "feature" is really a bug -- a way around the supervisor/user distinction. So yeah, I see a threat, but it's such a glaringly huge and obvious one that I can't believe the designers didn't anticipate it. And that's really what it comes down to: I don't believe it. If anyone tells me user mode is able t

    • Vista 64's driver signing system is touted as preventing rootkits. Security researchers trust Microsoft that driver signing will help with this. However, as the parent poster says, once code is running at supervisor level it's all over. It's absurd to try to make administrators not administrators. Also, why are corporations magically trusted but not the computer's owner?

      The whole thing is really about DRM, protecting wmplayer.exe from debuggers' eyes. (Of course, you could just virtualize the whole OS
      • by Sloppy (14984)

        I found two more attacks against their digital signature system .. Since I now know it's DRM related, it would be a felony for me to disclose it to anyone but Microsoft

        Are you really sure about that?

        DMCA violations are felonies, and disclosing details (as opposed to "trafficking in" actual implementations) isn't a violation anyway, and there's also a quite a bit of lattitude about what the "primary purpose" of an implementation would be, anyway. If there aren't already products on the market that depend

  • by Animats (122034) on Friday October 27, 2006 @06:42PM (#16616636) Homepage

    Before an attack can install something like "Blue Pill", it has to be running in kernel mode. At that point, it already has full control of the machine. The only question is what to do with that control. Installing a hypervisor underneath the OS is kind of neat, but there are lots of other things to do.

    What this does demonstrate is that after-the-fact malware detectors are a dead end.

    There's a great comment in the article:

    The solution (includes) checking all the possible "dynamic hooking places" in kernel data sections.

    (This) is actually impossible to achieve 100 percent as nobody knows all those dynamic hooking places, but we could at least start building a list of them. I believe the number of the hooking places is a finite number for every given operating system.

    In other words, there is only a finite number of "ways" to write Type II malware of any specific kind (e.g. a keystroke logger).

    Now that's a big part of the problem - Microsoft's use of "dynamic hooking", or places where user code can insert callbacks which privileged code might access, is so messed up that security researchers can't even find all the places where it is allowed. "Dynamic hooking" is really a lame method of interprocess communication left over from the DOS version of Windows. It should never have made it into NT/W2000/XP/etc.

    There's less of a temptation to do this in open source operating systems, since, if you really need to legitimately add a feature, you can put it in the source, rather than tapping into some binary. The Linux netfilter/ipchains mechanism offers a "dynamic hooking" attack vector into the kernel, though, so Linux isn't immune to attacks of this type.

  • ... when I ask: Is she HOT ?
  • Joanna ROOTkowska
  • Not ready? (Score:3, Insightful)

    by Schraegstrichpunkt (931443) on Friday October 27, 2006 @11:07PM (#16619044) Homepage

    Major operating systems aren't ready for virtualization? We could have used virtualization five years ago.

    The only OS that has any sort of problem with virtualization is Windows, and there is no reason to believe that Microsoft would have suddenly fixed thingsif hardware virtualization had been put off for another 5-10 years.

  • by Anonymous Coward
    Blue Pill is bullshit. Don't believe me, believe the experts:

    o Keith Adams, of VMware fame (binary translation and Intel VT work): http://x86vmm.blogspot.com/2006/08/blue-pill-is-qu asi-illiterate.html [blogspot.com]
    o Anthony Liguori, of Xen fame (paravirtualization work): http://www.virtualization.info/2006/08/debunking-b lue-pill-myth.html [virtualization.info]
    • "Blue Pill is the prototype resulting from a security study made by Joanna Rutkowska, which took advantage of new virtualization capabilities of AMD processors (known as SVM and previously as Pacifica) to inject a rootkit in a running [virtualization.info] Vista operating system"

      When people have to resort to abuse to support their argument it makes me suspect that they are trying to distract from the facts. Adams don't actually debunk blue-pill, he calls the research quasi illiterate gibberish and accuses the researcher of a

The shortest distance between two points is under construction. -- Noelie Alito

Working...