funsec mailing list archives
RE: eWeek: Government-Funded Startup Blasts Rootkits
From: "Justin Polazzo" <jpolazzo () thesportsauthority com>
Date: Thu, 27 Apr 2006 08:41:07 -0600
I just asked them about Vmware in my reply today. Hopefully we will hear something back by Friday. You may be right in that a Vmware "infection" would not be "malware" but just a normal operation. It looks like they detect weird API calls, hooks into memory, subversion of the windows kernel ;), etc. A VM OS would not be a subversion of the kernel per say, just the addition of another. Although from a CPU EIP point of view, I think the addition of another kernel would register in just noise, if not heuristics monitoring. Either way, Good call. I also asked them about directed attacks from the host in the form of buffer overflows to their logging and analysis engines. I am sure they have covered it, but one nightmare scenario would be if you could compromise the PCI card, leaving the host intact, and still be able to transmit the "everything's fine" signal to the admin workstation. Even given the following from section 4.2 of the PDF: "However, in standalone mode, the EBSA can be configured to deny all configuration reads and writes from the host processor, thereby making its execution path immutable by an attacker on the Host" If there was a stack exception created by their monitoring software, the instructions would be coming from the card, and not the host kernel. Like you said, only time will tell. -JP -----Original Message----- From: Technocrat [mailto:dj.technocrat.listmail () gmail com] Sent: Thursday, April 27, 2006 7:51 AM To: Justin Polazzo Cc: funsec () linuxbox org Subject: Re: [funsec] eWeek: Government-Funded Startup Blasts Rootkits On 4/27/06, Justin Polazzo <jpolazzo () thesportsauthority com> wrote:
Just in case anyone is still interested, I got a link to a paper released in '04, but according to the reps: "We've made substantial improvements since the research prototype, but
the base methods of how we work and protect ourselves will be in the paper." http://www.komoku.com/pubs/USENIX-copilot.pdf
Hey JP, no word from the vendor on our VM rootkit question?? I suppose it doesn't matter what they say...only the test of time will seal the deal. -Technocrat _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: eWeek: Government-Funded Startup Blasts Rootkits, (continued)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Larry Seltzer (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Barrie Dempster (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- Re: eWeek: Government-Funded Startup Blasts Rootkits Technocrat (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 27)
- Re: eWeek: Government-Funded Startup Blasts Rootkits Technocrat (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Larry Seltzer (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Blanchard_Michael (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 27)