This is spooky - virtual machine rootkits

This sounds so far out - rootkits are bad enough, but now we have to worry about virtual machine rootkits.

This sounds so far out - rootkits are bad enough, but now we have to worry about virtual machine rootkits.

Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system.

The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.

Details of article here and research paper by Microsoft and University of Michigan team here (PDF).

We evaluate a new type of malicious software that gains qualitatively more control over a system. This new type of malware, which we call a virtual-machine based rootkit (VMBR), installs a virtual-machine monitor underneath an existing operating system and hoists the original operating system into a virtual machine. Virtual-machine based rootkits are hard to detect and remove because their state cannot be accessed by software running in the target system. Further,VMBRs support general-purpose malicious services by allowing such services to run in a separate operating system that is protected from the target system.

Slashdot discussion here.