Microsoft Research (MSR) along with University of Michigan have an interesting paper that showcases a new type of malware specifically for Virtual Machines and hosts running the VM’s (Hper-V, VMWare Server, etc). This malware installs a monitor underneath the host of the VMs as a Virtual Machine Monitor (VMM). All VMM’s run in Ring 0 (kernel mode).
Essentially this is similar to a rootkit and they call this a VM based rootkit (VMBR). A VMBR looks to get itself installed underneath the host and essentially runs the target OS as guest. It needs to manipulate the boot sequence to load it self before the ‘guest’ OS. This allows them to run silently with the ‘guest’ OS not even aware of their presence. Of course this makes their detection quite difficult (if not impossible) by the ‘guest’ OS.
They go on to implement a couple of prototypes which subvert both XP and Linux. The paper discusses ways to detect and prevent VMBR’s such as such as security software running even below the VMBR in an isolated layer which is not controlled by the VMBR. Another option is to boot up from a ‘safe’ medium like a ROM drive or a secure VMM which won’t stop a VMBR, but can at least help detect it.
Other similar posts you might be interested to check out:
- February 17, 2010 -- Facebook and Security again (0)
Facebook and my views of it in the context of Privacy and Security are well known. This conversation with one of their (anonymous) employees detailing a few internal processes and tools is actually quite scary. Now, I don’t know if this is true and how much of this is true; but if I was working for Facebook then all of this is quite logical and makes sense. And, technically all the things talked about is very feasible and not too challenging (of course am over simplifying here). I do have to ... - January 6, 2010 -- Is it time to relook at Facebook again? (0)
I still don’t get Facebook – despite being on it. If I want to talk to someone I will call them, email them, text them, meet them, have dinner with them - get the picture? I am quite worried about the security and privacy elements of it – or rather the lack of it. Those who know me well (anyone?) :-) know I was not always this paranoid but after attending a few Security courses – I cannot bury my head in the sand anymore. The main issue I have is the commercialisation of the information and ... - November 27, 2009 -- Cloud computing Risk Assessment (0)
ENISA (European Network & Information Security Agency) – phew that is a mouthful have gotten together with a number of industry leaders and released a Risk assessment for Cloud computing. I have not finished reading this and only eyeballed this, but looks good....
Tags: .security
