Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?

Joanna Rutkowska Discusses VM Rootkits 105

Unwanted Software writes "There's an interesting interview on eWeek with Joanna Rutkowska, the stealth malware researcher who created 'Blue Pill' VM rootkit and planted an unsigned driver on Windows Vista, bypassing the new device driver signing policy. She roundly dismisses the quality of existing anti-virus/anti-rootkit products and makes the argument that the world is not ready for VM technology. From the article: 'Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.'"
This discussion has been archived. No new comments can be posted.

Joanna Rutkowska Discusses VM Rootkits

Comments Filter:
  • by no_pets ( 881013 ) on Friday October 27, 2006 @05:01PM (#16615344)
    I must admit that my only experience in hardware virtualization comes from IBM AS/400 and RS/6000 environments. But, if hardware virtualization is (mostly) ready on the PC and PC OSes could make use of it, it could hurt PC manufacturers such as Dell.

    What I'm getting at is many families are getting multiple PCs in the house now. One (or more) for the kids and one (or more) for the parents. Most of these people are just browsing the web, checking email, low CPU usage things. What if, like on these enterprise class platforms, you could order one PC with a dual core (ore more) CPU, two (or more) keyboards, monitors, mice then slice up the processing power in two then run two OSes and basically have 2 virtual PCs out of the same hardware?

    It may not save money just running 2 virtual PCs but if it could run 3 or 4 it should save money once they get into mass production.
    Okay, this is slightly OT but someone mentioned that there isn't much use for this technology at the consumer level but I disagree. Of course a rootkit running on top of it all wouldn't be good.
  • by spun ( 1352 ) <loverevolutionar ... m ['oo.' in gap]> on Friday October 27, 2006 @05:05PM (#16615390) Journal
    We use VMware on IBM Blades. Very many other businesses are doing the same. All the CIO management rags are all abuzz over VM. Your workplace is indeed a little behind the times.

    You do know that it doesn't matter if people are using hardware virtualization, right? All new Intel and AMD chips have it, whether you use it or not, it's there for a rootkit to exploit.

    There are several other VM packages that also use the hardware VM. Xen is one, and it's open source. And in any case, it's not about how VMWare or Xen deal with the new hardware, it's how Windows and Linux deal with it. If mainstream OSs don't take steps to lock down the VM hardware, undetectable rootkits will be the result.

    As someone who has worked quite a bit with VMware, let me say that I am more concerned with it's freakish inability to keep accurate time. I've got a cronjob running every five minutes to reset the time via ntpdate. Running ntp on the server won't help, the offset is too random and too large to compensate for. In five minutes between running ntpdate, I've seen clocks be off by a minute.
  • Blue Pill (Score:3, Interesting)

    by Jim Buzbee ( 517 ) on Friday October 27, 2006 @05:12PM (#16615502) Homepage
    There's an interesting feasibility discusison of Blue Pill Here []
  • by Animats ( 122034 ) on Friday October 27, 2006 @06:42PM (#16616636) Homepage

    Before an attack can install something like "Blue Pill", it has to be running in kernel mode. At that point, it already has full control of the machine. The only question is what to do with that control. Installing a hypervisor underneath the OS is kind of neat, but there are lots of other things to do.

    What this does demonstrate is that after-the-fact malware detectors are a dead end.

    There's a great comment in the article:

    The solution (includes) checking all the possible "dynamic hooking places" in kernel data sections.

    (This) is actually impossible to achieve 100 percent as nobody knows all those dynamic hooking places, but we could at least start building a list of them. I believe the number of the hooking places is a finite number for every given operating system.

    In other words, there is only a finite number of "ways" to write Type II malware of any specific kind (e.g. a keystroke logger).

    Now that's a big part of the problem - Microsoft's use of "dynamic hooking", or places where user code can insert callbacks which privileged code might access, is so messed up that security researchers can't even find all the places where it is allowed. "Dynamic hooking" is really a lame method of interprocess communication left over from the DOS version of Windows. It should never have made it into NT/W2000/XP/etc.

    There's less of a temptation to do this in open source operating systems, since, if you really need to legitimately add a feature, you can put it in the source, rather than tapping into some binary. The Linux netfilter/ipchains mechanism offers a "dynamic hooking" attack vector into the kernel, though, so Linux isn't immune to attacks of this type.

Forty two.