BLACK HAT - Questions swirl around VM rootkit detection

At Black Hat, researcher presents new findings on rootkits, Vista security

Can rootkit malware that hides by mimicking a software-based virtual machine ever be detected? That was the topic of debate as security researchers presented their latest findings to packed audiences at the Black Hat Conference here.

Joanna Rutkowska, researcher at the firm Invisible Things, was the one who famously ignited the keen interest in virtualized rootkits after she described and demonstrated her rootkit creation, called Blue Pill, at last year's Black Hat.

Wednesday, Rutkowska returned to Black Hat to acknowledge that researcher Edgar Barbosa has come the closest to devising a method for detecting Blue Pill. "Congratulations to Edgar," she said, during the highly technical presentation she made with her colleague, researcher Alexander Tereshkin. Rutkowska said she and her colleague hadn't found a way yet to evade Barbosa's so-called counterbased detection method as detailed in a paper he made public in July at the SyScan conference.

Rutkowska also said she is posting the Blue Pill code publicly for download at the Blue Pill Project Web site. "You can freely upload Blue Pill right now," she said. Blue Pill has been developed in a number of variants since last year, including one based on nested hypervisors, where stealth, virtual-machine malware is nested inside other stealth, virtual-machine malware.

On a separate topic, she faulted Microsoft's code-signing security that requires a Microsoft-approved signed certificate for kernel-mode protection. Rutkowska last year had shown a way to break that security, which would let an attacker load malware on 64-bit Vista, but Microsoft fixed that problem a few months ago by changing an API. However, she asserted on Wednesday that she and Tereshkin had uncovered another route around Vista kernel protection: Faulty third-party drivers, which although digitally signed, are simply vulnerable.

She also noted that it was all too simple to obtain a Microsoft-approved code-signing certificate through a largely automated process that cost US$250 for a certificate. Microsoft was not immediately available to comment on Rutkowska's findings.

At an earlier session at Black Hat titled "Don't Tell Joanna, the Virtualized Rootkit is Dead," researchers Thomas Ptacek from Matasano Security, Nate Lawson from Root Labs, and Peter Ferrie from Symantec, labored to describe how they are on the path to detecting virtual-machine malware through three technical approaches. They described these technical approaches as side-channel attack, vantage-point attack and performance event counters.

In the end, however, Ptacek said the research was focused on detecting the presence of virtualization malware called Vitriol, created by researcher Dino Dai Zovi, for VMware. That's because Vitriol is one of only a few known examples of virtualization malware, and Rutkowska had declined to supply any Blue Pill code before the conference.

The three researchers indicated they intend to release their published findings, as well as a software framework they call Samsara for detecting virtualization malware, within a few days.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Father’s Day Gift Guide

Brand Post

PC World Evaluation Team Review - MSI GT75 TITAN

"I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it."

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?