http://www.theinquirer.net/default.aspx?article=32783
by the way, this article isn't only on the inquirer.
by the way, this article isn't only on the inquirer.
new rootkit based on VT....
- Thread starter MDme
- Start date
They've known this for a long time. It's just people trying to drum up publicity for themselves.
"Joanna Rutkowska, security researcher extraordinaire,"
See? It's the Inquirer being slightly sarcastic.
We already have a solution. It's called Trust Platform Module and it is specificly designed so that it can't be abstracted by a Virtual Machine environment. So software environments can utilize that in different ways to know if it's a VM or not. Also it should aid in checksums and other such things to ensure the purity of binaries your using.. Like the kernel and/or hypervisor.
Of course like anything.. If your in control TPM and such is good, if other people are in control then it's bad.
"Joanna Rutkowska, security researcher extraordinaire,"
See? It's the Inquirer being slightly sarcastic.
We already have a solution. It's called Trust Platform Module and it is specificly designed so that it can't be abstracted by a Virtual Machine environment. So software environments can utilize that in different ways to know if it's a VM or not. Also it should aid in checksums and other such things to ensure the purity of binaries your using.. Like the kernel and/or hypervisor.
Of course like anything.. If your in control TPM and such is good, if other people are in control then it's bad.
"We already have a solution. It's called Trust Platform Module and it is specificly designed so that it can't be abstracted by a Virtual Machine environment. So software environments can utilize that in different ways to know if it's a VM or not. Also it should aid in checksums and other such things to ensure the purity of binaries your using.. Like the kernel and/or hypervisor."
Didn't know TPM did/could do that. But what about current AM2 CPUs? I don't think they have TPM yet. Intel CPUs? do they have that now?
Didn't know TPM did/could do that. But what about current AM2 CPUs? I don't think they have TPM yet. Intel CPUs? do they have that now?
mechBgon
Super Moderator<br>Elite Member
- Oct 31, 1999
- 30,699
- 1
- 0
example of TPM-equipped AMD system
As for "how can we stop this," how do you stop other kinds of malware? I'm no expert, but I doubt that even this super-rootkit can be installed by magic or telepathy. Or if it can be, well, two can play that game!! :evil: *begins crafting a level-5 Defend spell around the computer*
...darn, this spell calls for pizza, and I'm all out
Fortunately I have Socket939.
So I'd follow best practices: use the least-privilege approach, don't install or execute stuff willy-nilly, keep my system patched and firewalled and anti-virused. Stop it by never letting it get started, just like the security-scanning people at the airport will take away anything that could be used as a weapon before you even reach the boarding gate, let alone get onto the aircraft.
I suppose the system could come pre-infected from the factory, of course. In that case you still could look for evidence of hanky-panky (unusual network activity, for example).
As for "how can we stop this," how do you stop other kinds of malware? I'm no expert, but I doubt that even this super-rootkit can be installed by magic or telepathy. Or if it can be, well, two can play that game!! :evil: *begins crafting a level-5 Defend spell around the computer*
...darn, this spell calls for pizza, and I'm all out
Fortunately I have Socket939.So I'd follow best practices: use the least-privilege approach, don't install or execute stuff willy-nilly, keep my system patched and firewalled and anti-virused. Stop it by never letting it get started, just like the security-scanning people at the airport will take away anything that could be used as a weapon before you even reach the boarding gate, let alone get onto the aircraft.
I suppose the system could come pre-infected from the factory, of course. In that case you still could look for evidence of hanky-panky (unusual network activity, for example).
Trouble with this one is that even formatting your harddrive and reinstalling from scratch won't get rid of it on some types of machines.
That is if you notice that your infected in the first place.
No virus scanner will ever detect it. No anti-malware. No toolkit from Microsoft or any other vendor. Even booting up a seperate cdrom-based operating system and running checksums on every single system binary won't detect it. (unless your leveraging TPM stuff... And even IBM has developed a way to abstract those. (IBM is the unquestionable king of virtual machine environments.. Their tech is at least 10 years ahead of everybody else's. Intel/Xen designed their VM stuff around mainframe-centric documentation/publications put out by IBM years ago.))
Previous kernel-level rootkits are undetectable by any sort of software you could possibly install on your system.. Even running checksums on binary files won't find them. But you can detect them if you boot up a seperate cdrom and checksums on your system files. (Tripwire is something that is designed for this and is commonly used in Linux-land) But with a VM-level rootkit even this is suspect, theoreticly.
You try to boot up the cdrom and it will work 100% perfectly, but you could be booting up on a hypervisor and not know it. Theoreticly.
That's what is so remarkable about these sorts of attacks.
That is if you notice that your infected in the first place.
No virus scanner will ever detect it. No anti-malware. No toolkit from Microsoft or any other vendor. Even booting up a seperate cdrom-based operating system and running checksums on every single system binary won't detect it. (unless your leveraging TPM stuff... And even IBM has developed a way to abstract those. (IBM is the unquestionable king of virtual machine environments.. Their tech is at least 10 years ahead of everybody else's. Intel/Xen designed their VM stuff around mainframe-centric documentation/publications put out by IBM years ago.))
Previous kernel-level rootkits are undetectable by any sort of software you could possibly install on your system.. Even running checksums on binary files won't find them. But you can detect them if you boot up a seperate cdrom and checksums on your system files. (Tripwire is something that is designed for this and is commonly used in Linux-land) But with a VM-level rootkit even this is suspect, theoreticly.
You try to boot up the cdrom and it will work 100% perfectly, but you could be booting up on a hypervisor and not know it. Theoreticly.
That's what is so remarkable about these sorts of attacks.
Wouldn't that require the rootkit to modify the BIOS so that it loads itself before a CD-ROM is allowed to boot the system? Otherwise, I don't understand how the rootkit could be loaded if the CD-ROM were booted directly, entirely bypassing anything on the hard disk.
Ya, basicly.
With normal BIOSes they are too primative to be affected much. That's why I said 'theoreticly'.
For instance if your using a system that has a more sophisticated system (Like Macintel's EFI system or pretty much any non-embedded non-x86 computer) that has more of a ability to interact with the host operating system this can be a threat.
Also since, by default, most bioses as you get them from bigger OEMs are generally set to boot from the harddrive first and cdrom second then it's likely that a person could program a hypervisor (being booted from the HD) to quickly have itself boot any cdroms by default first. Hypervisors are typically very small and compact items.. It is likely that a person wouldn't notice one being loaded from the harddrive before it (the hypervisor) quickly boots up your cdrom.
This is, of course, less likely to work.. But if your dealing with a human attacker rather then a dumb worm or malware or whatnot then it's pretty likely that it would be effective way to try to prevent you from uninstalling the hostile VM.
It's more of a concealment thing rather then a preventative thing, though. If you don't know that the hostile VM is still there then it's likely you'd miss it, but if you know it's there after a format then it's not going to be able to prevent you from removing it.
Of course I may be mistaken, but that's my understanding of the whole thing.
this is the last straw, I'm throwing out everything with a chip in it and cooking my meals over an open fire.
cleverhandle
Diamond Member
- Dec 17, 2001
- 3,566
- 3
- 81
This definitely isn't a new idea. In his book "Real World Linux Security" (which is interesting mostly for its stories), Bob Toxen descibes how he, Doug Merritt, and Ken Arnold were working on a rootkit for Berkeley's PDP11 that would be undetectable by the sysadmins (namely, Bill Joy). Their idea? Run the kernel as a user process over a very thin and fast VM that would pass the majority of instructions straight down to the native hardware. It would thus be undetectable by the admins who would be working (unknowingly) inside the VM. And reboots, of course, wouldn't really be reboots.
They were stopped by a technical problem dealing with privileged instruction handling (that Bob later realized was circumventable anyway), but the idea is the same as in the article. The virtualization technology just makes it all a bit slicker these days.
They were stopped by a technical problem dealing with privileged instruction handling (that Bob later realized was circumventable anyway), but the idea is the same as in the article. The virtualization technology just makes it all a bit slicker these days.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 24K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter