Bootkits to the next level

[dninja at gmail.com (Robin Wood)]

2009/6/26 Rob Fuller <jd.mubix at gmail.com>:
> So all of this is just theoretical right now so, it's probably flawed
> somewhere, but that's what ya'll are for ;-)
> When I first herd the word "bootkit" my mind went instantly to boot cd/usb.
> The guest in Episode 154 though was talking about more of a payload that
> gets delivered in malware that some how (I'm thinking by editing the boot
> params just like you do for dual booting) infects the machine.
> Well, lets ride down my road a bit. You kinda need physical access to put a
> CD or usb in the drive right? hmm, not so much. With the push for
> virtualization people already have most of their most precious information
> on virtual machines. And how does VMware install their VMware Tools? ;-) now
> you are starting to see where I am going. Here is the theoretical "what if"
> An attacker pushed the mounting of a CD / USB drive to a server, bypassing
> or breaking the authentication to do so (although I don't think there is
> any, kinda like the old days before sessions, of directly accessing the
> admin page, bypassing the login page). Then waiting for a reboot to happen,
> or just causing one yourself.
> Wam bam, thank you ma'am. Now I hope I am totally wrong, but hopefully this
> got you thinking in a new direction.

Don't know if it is just VirtualBox but if I have a CD mounted that
has autorun on it the autorun gets run whenever the machine is
suspended and resumed. Does this go for VMWare as well?

I rarely reboot my VMs but I do suspend and resume them quite frequently.

Robin