BLACK HAT - Questions swirl around VM rootkit detection

At Black Hat, researcher presents new findings on rootkits, Vista security

Can rootkit malware that hides by mimicking a software-based virtual machine ever be detected? That was the topic of debate as security researchers presented their latest findings to packed audiences at the Black Hat Conference here.

Joanna Rutkowska, researcher at the firm Invisible Things, was the one who famously ignited the keen interest in virtualized rootkits after she described and demonstrated her rootkit creation, called Blue Pill, at last year's Black Hat.

Wednesday, Rutkowska returned to Black Hat to acknowledge that researcher Edgar Barbosa has come the closest to devising a method for detecting Blue Pill. "Congratulations to Edgar," she said, during the highly technical presentation she made with her colleague, researcher Alexander Tereshkin. Rutkowska said she and her colleague hadn't found a way yet to evade Barbosa's so-called counterbased detection method as detailed in a paper he made public in July at the SyScan conference.

Rutkowska also said she is posting the Blue Pill code publicly for download at the Blue Pill Project Web site. "You can freely upload Blue Pill right now," she said. Blue Pill has been developed in a number of variants since last year, including one based on nested hypervisors, where stealth, virtual-machine malware is nested inside other stealth, virtual-machine malware.

On a separate topic, she faulted Microsoft's code-signing security that requires a Microsoft-approved signed certificate for kernel-mode protection. Rutkowska last year had shown a way to break that security, which would let an attacker load malware on 64-bit Vista, but Microsoft fixed that problem a few months ago by changing an API. However, she asserted on Wednesday that she and Tereshkin had uncovered another route around Vista kernel protection: Faulty third-party drivers, which although digitally signed, are simply vulnerable.

She also noted that it was all too simple to obtain a Microsoft-approved code-signing certificate through a largely automated process that cost US$250 for a certificate. Microsoft was not immediately available to comment on Rutkowska's findings.

At an earlier session at Black Hat titled "Don't Tell Joanna, the Virtualized Rootkit is Dead," researchers Thomas Ptacek from Matasano Security, Nate Lawson from Root Labs, and Peter Ferrie from Symantec, labored to describe how they are on the path to detecting virtual-machine malware through three technical approaches. They described these technical approaches as side-channel attack, vantage-point attack and performance event counters.

In the end, however, Ptacek said the research was focused on detecting the presence of virtualization malware called Vitriol, created by researcher Dino Dai Zovi, for VMware. That's because Vitriol is one of only a few known examples of virtualization malware, and Rutkowska had declined to supply any Blue Pill code before the conference.

The three researchers indicated they intend to release their published findings, as well as a software framework they call Samsara for detecting virtualization malware, within a few days.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?