Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system.
The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.
The prototype, which will be presented at the IEEE Symposium on Security and Privacy later in 2006.
How it works :
A virtual machine is one instance of an operating system running between the hardware and the "guest" operating system. Because the VM sits on the lower layer of the operating system, it is able to control the upper layers in a stealthy way.
Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system.
Proof-of concept [rootkits] were used to subvert Windows XP and Linux target systems and implemented four example malicious services.
Why is it dangerous :
Today, anti-rootkit clean-up tools compare registry and file system API discrepancies to check for the presence of user-mode or kernel-mode rootkits, but this tactic is useless if the rootkit stores malware in a place that cannot be scanned.
"If the defender's security service occupies a lower layer than the malware, then that security service should be able to detect, contain and remove the malware. Conversely, if the malware occupies a lower layer than the security service, then the malware should be able to evade the security service and manipulate its execution."
The side that controls the lower layer in the system has a fundamental advantage in the arms race between attackers and defenders.
The SubVirt project implemented VM-based rootkits on two platformsâ€â€Linux/VMWare and Windows/VirtualPCâ€â€and was able to write malicious services without detection.
Virtual-machine monitors are available from both the open-source community and commercial vendors ... On today's x86 systems, [VM-based rootkits] are capable of running a target OS with few visual differences or performance effects that would alert the user to the presence of a rootkit."
The threat is so real, the group said, that during the creation of SubVirt, one of the authors accidentally used a machine that had been infected by the proof-of-concept rootkit without realizing that he was using a compromised system.
End user :
A code execution flaw could be exploited to gain root or administrator rights to manipulate the system boot sequence.
Once the rootkit is installed, it can use a separate attack operating system to deploy malware that is invisible from the perspective of the target operating system.
The group used the prototype rootkits to develop four malicious servicesâ€â€a phishing Web server, a keystroke logger, a service that scans the target file system for sensitive information and a defense countermeasure to defeat existing VM-detection systems.
The researchers also used the VM-based rootkits to control the way the target reboots. It could also be used to emulate system shutdowns and system sleep states.
How to counter :
Hardware detection is one way to gain control over the lower layer to detect VM-based rootkits, pointing out that chip makers Intel and AMD have proposed hardware that can be used to develop and deploy low-layer security software that would run beneath a VM-based rootkit.
Another defense technique the researchers proposed is to boot from a safe medium such as a CD-ROM, USB drive or network boot server to gain control below the rootkit.
A secure VMM can also be used to gain control of a system before the operating system boots. It can also be used to retain control as the system runs and to add a check to stop a VM-based rootkit from modifying the boot sequence.
The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.
The prototype, which will be presented at the IEEE Symposium on Security and Privacy later in 2006.
How it works :
A virtual machine is one instance of an operating system running between the hardware and the "guest" operating system. Because the VM sits on the lower layer of the operating system, it is able to control the upper layers in a stealthy way.
Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system.
Proof-of concept [rootkits] were used to subvert Windows XP and Linux target systems and implemented four example malicious services.
Why is it dangerous :
Today, anti-rootkit clean-up tools compare registry and file system API discrepancies to check for the presence of user-mode or kernel-mode rootkits, but this tactic is useless if the rootkit stores malware in a place that cannot be scanned.
"If the defender's security service occupies a lower layer than the malware, then that security service should be able to detect, contain and remove the malware. Conversely, if the malware occupies a lower layer than the security service, then the malware should be able to evade the security service and manipulate its execution."
The side that controls the lower layer in the system has a fundamental advantage in the arms race between attackers and defenders.
The SubVirt project implemented VM-based rootkits on two platformsâ€â€Linux/VMWare and Windows/VirtualPCâ€â€and was able to write malicious services without detection.
Virtual-machine monitors are available from both the open-source community and commercial vendors ... On today's x86 systems, [VM-based rootkits] are capable of running a target OS with few visual differences or performance effects that would alert the user to the presence of a rootkit."
The threat is so real, the group said, that during the creation of SubVirt, one of the authors accidentally used a machine that had been infected by the proof-of-concept rootkit without realizing that he was using a compromised system.
End user :
A code execution flaw could be exploited to gain root or administrator rights to manipulate the system boot sequence.
Once the rootkit is installed, it can use a separate attack operating system to deploy malware that is invisible from the perspective of the target operating system.
The group used the prototype rootkits to develop four malicious servicesâ€â€a phishing Web server, a keystroke logger, a service that scans the target file system for sensitive information and a defense countermeasure to defeat existing VM-detection systems.
The researchers also used the VM-based rootkits to control the way the target reboots. It could also be used to emulate system shutdowns and system sleep states.
How to counter :
Hardware detection is one way to gain control over the lower layer to detect VM-based rootkits, pointing out that chip makers Intel and AMD have proposed hardware that can be used to develop and deploy low-layer security software that would run beneath a VM-based rootkit.
Another defense technique the researchers proposed is to boot from a safe medium such as a CD-ROM, USB drive or network boot server to gain control below the rootkit.
A secure VMM can also be used to gain control of a system before the operating system boots. It can also be used to retain control as the system runs and to add a check to stop a VM-based rootkit from modifying the boot sequence.