[cap-talk] Virtual Machine Based Rootkits
David Hopwood
david.nospam.hopwood at blueyonder.co.uk
Thu Aug 3 13:11:29 EDT 2006
Karp, Alan H wrote:
> Joanna Rutkowska is the name I've seen associated with this attack,
> which is frequently called Blue Pill, from the Matrix. She has
> demonstrated a running version on Vista x64 and is presenting at Black
> Hat today. According to reports, she was able to install the rootkit on
> a running system, no reboot required.
> http://www.eweek.com/article2/0,1895,1983037,00.asp is a news article on
> the subject.
>
> The key point is that you're both right. You are safer if you use a
> virtual machine to run Windows. However, if your base system gets
> infected, virtualizability assures that there is no mechanism by which
> the OS can detect the attack.
That's not quite accurate; most VMMs are detectable, and AFAIK all VMMs
that run on x86 hardware (VT, Pacifica or otherwise) are detectable.
It is true to say that a guest OS cannot reliably detect a VMM in a
way that is useful to prevent this kind of rootkit attack, in general.
After all, we don't want guest OSes to refuse to run under any VMM;
that would be more counterproductive than helpful. Also, such a
detection mechanism could be circumvented, if the attacker writes
his/her code after the defender (and I believe this to be more practical
than Jed does).
--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk
mailing list