malicious hypervisor aka root-kit hypervisor threat is rel

[Mikhail Utin <mikhailutin () hotmail com>]

We would like to post and discuss at once Malicious Hypervisor threat that exists since 2006 but was ignored.


In 2006, Michigan University (MU) team with the participation of Microsoft research team published an article 
describing the development of the most advanced malware - "SubVirt: Implementing malware with virtual machines".

The research has been supported by US government and Intel Corporation.  The research is the proof of concept – 
virtualization technology can be used to develop a malware (Malicious Hypervisor – MH) which can access any part of 
operating system and user applications, and thus user data. This is computer stealth technology by the definition – 
such hypervisor cannot be identified by currently available security tools.

Around 2007 – 2008 a hypervisor has been found in Intel Corporation motherboards which have been shipped to Russia for 
the development of a special computer system. Russian scientist published the article describing how he found the 
malware in BMC BIOS flash memory. The article is available in English now.

The scientist observed that the hypervisor was gradually improving from one shipment to the next one and eventually 
became completely invisible and working with his (now nested) hypervisor.

In 2013, yet another MU research proved that millions of servers worldwide can be hacked via network management 
interface and malware loaded onto them. This malware could include the MH we are discussing. That represents a threat 
of an enormous magnitude, because the MH will be working from BMC memory and on Ring -2 level, thus having ultimate 
control of the computer system.

The situation now is that the most advanced threat had been successfully ignored during more than 10 years and even now 
we do not have MH identification software available on market.

We believe that there are at least three instances have been existing in the wild since 2010.

Considering MH ability to access to any computer data and do whatever the MH owner wants, we can claim that none of 
computer systems since 2006 can be compliant to any data protection regulation as there is no tools for at least the 
identification of MH. Such regulations include, but are not limited to US HIPAA, US NIST SP-800, ISO 27000, DSS, and 
newcomer – EU General Data Protection Regulation.

Complete information is posted on www.rubos.com<http://www.rubos.com> site.  Please, join the discussion here or, if 
you need to, please use email addresses from Rubos, Inc. site to communicate your questions.

We need to fix the situation until cyber terrorists develop or reverse engineer a hypervisor and use it to control 
millions computers around the globe.


Thank you


Mikhail Utin, CISSP
Rubos, Inc.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/