Undetectable rootkits?
This is a discussion on Undetectable rootkits? within the Linux Security forums, part of the System Security and Security Related category; "eWeek has an article about a prototype rootkit that is implemented using a virtual machine hypervisor running on top ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
07-12-2006
|
|||
|
|||
Undetectable rootkits?
"eWeek has an article about a prototype rootkit that is implemented using a virtual machine hypervisor running on top of AMD's Pacifica virtualization implementation. The idea is that the target OS, or software running on it, would not be able to detect the rootkit, because the OS would be running virtualized on top of the rootkit. The prototype is supposed to be demonstrated at the Syscan conference and the Black Hat Briefings over the next month." Here is the url: http://it.slashdot.org/article.pl?sid=06/06/29/2111208 Is it correct to say that if you don't run virtualization software of any kind you are not subject to this risk? 
|
|
07-12-2006
|
|||
|
|||
|
Re: Undetectable rootkits?
"John" <John@somewhere.com> wrote in message news:pan.2006.07.12.19.37.50.753606@somewhere.com. .. > > > "eWeek has an article about a prototype rootkit that is implemented using > a virtual machine hypervisor running on top of AMD's Pacifica > virtualization implementation. The idea is that the target OS, or software > running on it, would not be able to detect the rootkit, because the OS > would be running virtualized on top of the rootkit. The prototype is > supposed to be demonstrated at the Syscan conference and the Black Hat > Briefings over the next month." > > Here is the url: > > http://it.slashdot.org/article.pl?sid=06/06/29/2111208 > > Is it correct to say that if you don't run virtualization software of any > kind you are not subject to this risk? Well, from the details of the original uncompressed item (not found in news aggregators such as eWeek or Slashdot, and now I guess even Usenet), it appeared as if you dont even have to run virtualization software. Pacifica also appears to use whats being referred to as hardware virtualization assistance. Perhaps the hypervisor is accessed initially via those x86 extensions. So, if you are a proud owner of this stuff, its not in the virtualization element per se, or in the running of it, because the issue looks to lie within the hypervisor itself. Hopefully someone with more or updated info will chime in. jcj
|
|
07-13-2006
|
|||
|
|||
|
Re: Undetectable rootkits?
On 2006-07-12, John <John@somewhere.com> wrote:
> Is it correct to say that if you don't run virtualization software of any > kind you are not subject to this risk? No. The rootkit installs its own virtualization software. -- John (john@os2.dhs.org)
|
|
07-14-2006
|
|||
|
|||
|
Re: Undetectable rootkits?
On 2006-07-12, John <John@somewhere.com> wrote:
> Is it correct to say that if you don't run virtualization software of any > kind you are not subject to this risk? John Thompson <john@vector.os2.dhs.org> wrote: > No. The rootkit installs its own virtualization software. As far as I've been able to tell, it's not possible to run a virtualised system on top of another virtualised system. So this suggests to me that if you /are/ running your own virtualisation software (qemu, uml, vmware, etc.) then it will fail to run, thereby alerting you to the fact that your host OS is already virtualised. Chris
|
Linear Mode
