ie8 fix

Spyware Confidential

Larry Dignan, Jason Perlow, Tom Steinert-Threlkeld
Home / News & Blogs / Spyware Confidential

This is spooky - virtual machine rootkits

By | March 10, 2006, 8:14pm PST

This sounds so far out - rootkits are bad enough, but now we have to worry about virtual machine rootkits.

Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system.

The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.

Details of article here and research paper by Microsoft and University of Michigan team here (PDF).

We evaluate a new type of malicious software that gains qualitatively more control over a system. This new type of malware, which we call a virtual-machine based rootkit (VMBR), installs a virtual-machine monitor underneath an existing operating system and hoists the original operating system into a virtual machine. Virtual-machine based rootkits are hard to detect and remove because their state cannot be accessed by software running in the target system. Further,VMBRs support general-purpose malicious services by allowing such services to run in a separate operating system that is protected from the target system.

Slashdot discussion here.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Spyware Confidential”

Topics

Biography

Suzi Turner is webmaster and owner of SpywareWarrior.com, a comprehensive site that includes a spyware help forum, spyware blog and reviews of anti-spyware software by noted spyware expert Eric L. Howes. Suzi became angry about spyware in 2002 after being infected by a drive-by-download of a browser hijacker and unwanted adware/spyware and decided to help others in the same predicament. In April 2005, Microsoft awarded Suzi its MVP (Most Valued Professional) Award in recognition of her work to help internet users protect their privacy by removing and preventing spyware. Suzi is also a nurse for a national disability management company.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
5
Comments
Add Your Opinion

Join the conversation!

Just In

Rootkits and sandboxing
Blackdog_z 15th Mar 2006
I agree that a rootkit is not necessary to sandbox, and that rootkits can pose a security vulnerability. However, I have no problem with businesses installing them to monitor employees as long as the employees are informed beforehand. Those computers belong to the businesses and they have the right do install/configure their systems as desired.

I also agree with you that MS should reconsider implementing any rootkit in conjunction with DRM implementation.

As for the browser appliance, I have used it myself, but I really don't think it's the right way to go for Vista. If they are going to sandbox the browser, I doubt MS will implement it in a similar manner; meaning they'll make it appear as seamless and transparant as possible.
View in thread
0 Votes
+ -
VMrootkits
toodevastate 10th Mar 2006
Put on your thinking caps gentlemen, the real war is just about to begin.
0 Votes
+ -
A scary thought...
Tony Agudo 11th Mar 2006
It's bad enough that a rootkit can be now exploited through virtualization software. What scares me is, why is Microsoft, not some security firm, researching and developing this? I suspect they may want to integrate a VM-based rootkit into their DRM and licensing system. And we all know how bad using a rootkit for DRM turns out.
0 Votes
+ -
What about browser sandbox?
Blackdog_z 14th Mar 2006
What about the possibility that MS is thinking of sandboxing IE 7 in Vista via a VM, thus providing better security for the OS?
0 Votes
+ -
Sandboxing through a rootkit?
Tony Agudo 14th Mar 2006
If you're trying to create a sandbox for VM-based web browsing, you don't need to use a rootkit at all. There are better and safer ways of doing this without rootkitting virtualization software. Using a rootkit in any situation is a security and stability nightmare waiting to happen.

If Microsoft does integrate this into their DRM and licensing scheme as I speculated earlier, it could open up security holes for both the guest and host OSes, and Microsoft would be to blame. IMHO, they should tread very carefully if that is what is happening.

Besides, the folks at VMware have already made a secure VM image for browsing without rootkits:

http://www.vmware.com/vmtn/appliances/browserapp.html
0 Votes
+ -
Rootkits and sandboxing
Blackdog_z 15th Mar 2006
I agree that a rootkit is not necessary to sandbox, and that rootkits can pose a security vulnerability. However, I have no problem with businesses installing them to monitor employees as long as the employees are informed beforehand. Those computers belong to the businesses and they have the right do install/configure their systems as desired.

I also agree with you that MS should reconsider implementing any rootkit in conjunction with DRM implementation.

As for the browser appliance, I have used it myself, but I really don't think it's the right way to go for Vista. If they are going to sandbox the browser, I doubt MS will implement it in a similar manner; meaning they'll make it appear as seamless and transparant as possible.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix