Security UPDATE--Virtual Machine-based Rootkits--March 22, 2006

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Esker Software

SPI Dynamics


1. In Focus: Virtual Machine-based Rootkits

2. Security News and Features

- Recent Security Vulnerabilities

- Zfone Makes Its Debut

- Seagate and SECUDE IT Team for Stronger Mobile Security

- Silently Disable Internet Controls the Easy Way

3. Security Toolkit

- Security Matters Blog


- Instant Poll

- Share Your Security Tips

4. New and Improved

- Single Sign-On Solution for Many Apps


==== Sponsor: Esker Software ====

Align compliance with business efficiency, and learn how fax-document management plays a role in your strategy.


==== 1. In Focus: Virtual Machine-based Rootkits ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Virtual machine (VM) technology has many positive uses. However, when a VM is paired with a rootkit, you have a problem called a VM-based rootkit (VMBR).

VMBRs aren't just theoretical nuisances. Samuel T. King and Peter M. Chen of the University of Michigan, and Yi-Min Wang, Chad Verbowski, Helen J. Wang, and Jacob R. Lorch of Microsoft Research published a new white paper that discusses VMBRs in considerable detail. The white paper, "SubVirt: Implementing malware with virtual machines," is available on the Internet and is also scheduled to be presented at the IEEE Symposium on Security and Privacy in May.

VMBRs will be harder to detect than regular rootkits, but fortunately, they'll also be harder for intruders to develop and install. In a nutshell, the way a VMBR works is to load itself underneath the existing OS. The existing OS then runs as a VM on top of the VMBR. When running this way, a VMBR could go undetected unless special tools are used to look for its existence. VMBRs are possible for both Linux and Windows platforms.

Causing a VMBR to become installed is the tricky part, as is usually the case with rootkits. To cause a VMBR to run underneath an existing OS, the system's boot sequence must be modified so that the VMBR loads first. Modifying the system boot sequence requires a high level of privilege or an easily duped user. The white paper authors point out several possible inroads, including remotely exploitable system vulnerabilities, a malicious bootable CD-ROM or DVD, software from a corrupt vendor, and of course malicious software run by a naive user who's logged on with Administrator privileges.

The real danger of VMBRs is that due to their nature of running underneath an existing OS, they can remain relatively invisible to the target OS. A VMBR might or might not communicate with a target OS. If a VMBR is designed to launch Denial of Service (DoS) attacks, to relay mail, to establish pirate software drop points on other systems, or to host phishing Web sites, it doesn't need to communicate with the target OS. On the other hand, if the VMBR is designed to eavesdrop on keyboard, mouse, or network activity, then some amount of interaction must take place. But interaction could be minimized by modifying device drivers and emulators.

The team actually developed a VMBR along with several malicious services. It also modified system instructions so that user-mode VM detection wouldn't discover the VMBR. Taking the VMBR to an even further extreme, the team was able to manipulate LEDs on some computers via the system BIOS to fool users into thinking a system was shut down when in fact it wasn't!

The project is, to understate the matter, a very successful proof of concept. If you're interested in the finer details of the research, be sure to read the white paper at


==== Sponsor: SPI Dynamics ====

ALERT: PENETRATION TEST your Web Applications for FREE! WebInspect is a dynamic web application assessment tool that will automatically search for over 4,700 vulnerabilities and attack methods. Learn about the top web application Attack Methods and how to combat them with WebInspect. Run a FREE Test of your Web Apps via our FREE 15 Day Product Trial that delivers a comprehensive vulnerability report


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Zfone Makes Its Debut

With VoIP becoming ever more popular, security of conversations is a primary concern. Phil Zimmerman, inventor of the well-known PGP software, aims to help protect VoIP users' privacy with his latest encryption product, Zfone, which was released into public beta this week.

Seagate and SECUDE IT Team for Stronger Mobile Security

Last week at CeBIT 2006, Seagate Technology and SECUDE IT Security demonstrated how their products work together to better secure laptops. Together the companies' products protect data even during the system boot process.

Silently Disable Internet Controls the Easy Way

Setting the kill bit for an ActiveX control is simple if you approach the task from the standpoint of knowing that a control you want to disable exists. Here's a technique for finding the class ID (CLSID) of a control and disabling the control.


==== Resources and Events ====

Make full use of your VoIP network--integrate Fax for IP to reduce TCO and increase the ROI for your investment. Live Event: Tuesday, April 25, 12 pm EST

Early Bird Special Extended!

Register by 24 March 2006 for DevConnections Europe in Nice, France, 24-27 April 2006, and take advantage of special savings.


Expert Ben Smith describes the benefits of using server virtualization to make computers more efficient.

Learn all you need to know about today's most popular security protocols for secure Web-based communications. Download the free eBook today!

Learn the advantages of each alternative to traditional file servers and tape storage solutions, and make the best choice for your enterprise needs.


==== Featured White Paper ====

Learn the advantages of each alternative to traditional file servers and tape storage solutions, and make the best choice for your enterprise needs.


==== Hot Spot ====

Learn to identify the top 5 IM security risks, and protect your networks and users.


==== 3. Security Toolkit ====

Security Matters Blog: Not Quite Dick Tracy's Style

by Mark Joseph Edwards,

In last week's In Focus (at the first URL below), I wrote about handheld computers. Since then, I've learned about a computer that straps to your wrist. Eurotech is making a new wrist-worn PC that can run Linux or Windows CE. Learn more about it in the blog entry at the second URL below.


by John Savill,

Q: How can I output in a table format the list of sites and the subnets in the site?

Find the answer at

New Instant Poll

Which of these methods have you used or will you use to contain your wireless network radio signals?

- Reducing the AP output power

- Covering your walls and windows with special materials

- Using directional antennas or adding signal reflectors on your APs

- Two or more of the above methods

- None of the methods

See the article "3 Ways to Rein in Your Wireless Signals" at

Submit your vote at

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Announcements ====

(from Windows IT Pro and its partners)

VIP Monthly Pass Subscribers have it all!

Become a VIP Monthly Pass subscriber and get continuous, inside access to ALL the online resources published in Windows IT Pro, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get the latest digital issue (just like the print edition, but delivered directly to your inbox) of Windows IT Pro each month. Subscribe now:

Save 44% off the Windows IT Security Newsletter

For a limited time, order the Windows IT Security newsletter and SAVE up to $80 off the cover price. You'll discover endless fundamentals on building and maintaining a secure enterprise, in-depth product coverage of the best security tools available, and expert advice on the best way to implement various security components. You'll also get unlimited access to the full online security article library (more than 1900 articles). Subscribe now:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

Single Sign-On Solution for Many Apps

Beta Systems Software has extended its SAM Identity Management Suite to include a new component: SAM Enterprise Single Sign-On. SAM eSSO is part of the suite but will be marketed as a separate module. Users log on to their systems, and SAM eSSO handles subsequent logons to applications. SAM eSSO integrates with most existing applications through agents and XML parameter files. The SAM eSSO client runs under Windows, Web browsers, Linux, and UNIX. The SAM eSSO server runs under Windows. The target applications for SSO can run on any platform accessible to the network including Windows servers, mainframes, UNIX servers, Web servers, corporate databases, and Lotus Domino. The basis for SAM eSSO is the Focal Point enterprise SSO solution, which Beta Systems recently purchased from OKIOK. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.