funsec mailing list archives
RE: eWeek: Government-Funded Startup Blasts Rootkits
From: "Justin Polazzo" <jpolazzo () thesportsauthority com>
Date: Tue, 25 Apr 2006 10:13:15 -0600
-----Original Message----- From: Technocrat [mailto:dj.technocrat.listmail () gmail com] http://www.eecs.umich.edu/virtual/papers/king06.pdf I don't see any reason why a VM couldn't cloak a rootkit from a PCI/Parallel OS device. Comments? Input? ----------------
From that PDF:
"We show that, once installed, a VMBR is difficult to detect or remove." Two things he left out of the sentence. It should read "We show that (even though we have to have root access to the computer first) once installed, a VMBR is difficult to detect or remove from the OS it is running under." I would think that its pretty easy to stop the VMBR from being installed, and that the VMBR would be detectable from a PCI Card. The reason they say "very difficult to detect or remove" is because it can cloak itself from the host OS. The PCI card would have a Monitoring OS separate from the Hosts. In order to hide itself, the VMBR would then have to pull the same trick on the PCI card. You could also detect it by remotely mounting the HDD from a non-infected client, or by powering down the HDD, hooking it up to another machine, etc, etc, and scanning it. -JP<who makes lots of assumptions, but has emailed the vendor for clarification[which is another assumption that they will respond ;-)]> _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- RE: eWeek: Government-Funded Startup Blasts Rootkits, (continued)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Nick FitzGerald (Apr 28)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Rob, grandpa of Ryan, Trevor, Devon & Hannah (Apr 28)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Kevin McAleavey (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Larry Seltzer (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Barrie Dempster (Apr 25)
- Re: eWeek: Government-Funded Startup Blasts Rootkits Technocrat (Apr 25)
- Re: eWeek: Government-Funded Startup Blasts Rootkits Technocrat (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Larry Seltzer (Apr 27)