funsec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: eWeek: Government-Funded Startup Blasts Rootkits

From: "Justin Polazzo" <jpolazzo () thesportsauthority com>
Date: Tue, 25 Apr 2006 10:13:15 -0600
 

-----Original Message-----
From: Technocrat [mailto:dj.technocrat.listmail () gmail com] 
http://www.eecs.umich.edu/virtual/papers/king06.pdf

I don't see any reason why a VM couldn't cloak a rootkit from a
PCI/Parallel OS device. Comments? Input?

----------------


From that PDF:


"We show that, once installed, a VMBR is difficult to detect or remove."

Two things he left out of the sentence. It should read "We show that
(even though we have to have root access to the computer first) once
installed, a VMBR is difficult to detect or remove from the OS it is
running under."

I would think that its pretty easy to stop the VMBR from being
installed, and that the VMBR would be detectable from a PCI Card. The
reason they say "very difficult to detect or remove" is because it can
cloak itself from the host OS. The PCI card would have a Monitoring OS
separate from the Hosts. In order to hide itself, the VMBR would then
have to pull the same trick on the PCI card.

You could also detect it by remotely mounting the HDD from a
non-infected client, or by powering down the HDD, hooking it up to
another machine, etc, etc, and scanning it.

-JP<who makes lots of assumptions, but has emailed the vendor for
clarification[which is another assumption that they will respond ;-)]>

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: