Virtual rootkits not a problem, claim researchers

Virtual rootkits not a problem, claim researchers

Summary: Hypervisor technology cannot be used to hide rootkits from detection, according to US researchers

TOPICS: Security

Rootkits that use virtualisation techniques should not present detection problems, according to researchers from Carnegie Mellon and Stanford universities in the US.

Working with virtualisation technology vendors VMware and XenSource, the researchers produced a study called Compatibility is not transparency: VMM detection myths and realities. In the study the researchers claimed that rootkits could not use hypervisor technology to remain undetected on a system.

"No matter how minimal the hostile VMM [virtual machine monitor] is, it must consume physical resources, perturb timings and take measures to protect itself from the guest, leaving it no less susceptible to detection than other VMMs," said the research paper.

Hostile hypervisors create anomalies in the infected system that enable detection, according to the researchers, who said that hypervisors can be detected through logical discrepancies between the interfaces of real and virtual hardware.

"Most current hypervisor detection methods exploit differences in the virtual CPU interface of VMMs that violate x86 architecture," said the study.

Read this


Comment: The right application of virtualisation

Server virtualisation has its benefits but it's at the application level where the technology can really make a real difference, says DataSynapse's Peter Lee

Read more

There are also differences between virtual and actual hardware configurations such as chipsets, according to the researchers. And resource discrepancies give the game away, as VMMs consume CPU cycles and physical memory, and have a cache footprint that can be detected.

Malware researcher Joanna Rutkowska claimed last year to have developed a hypervisor rootkit called "Blue Pill" that would remain undetected on a system. Her claims were disputed by researchers from Matasano Security, Root Labs and Symantec.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to start the discussion