Bitter News For VM Users, There's a Rootkit Made Just For You

With every innovation comes a setback, sometimes vitriolic in nature. Virtual machine (VM) technology is a good case in point.

VMs are growing in popularity by leaps and bounds. We'll see more and more VM technology to the point that it becomes common place, probably even on everyday users' desktops. The benefits of VMs are manifold and the drawbacks are few, the most significant of which is undoutedly the cost of acquiring hardware to leverage VM power.

Intel introduced its Intel's VT-x technology for x86 processors which basically an extends processor architecture to fascilitate better VM behavior. Of course potential intruders can't stand by idle why VMs take over servers and eventually desktops. They need their inroads, or so they think anyway. Be assured that there is definitely active on-going progress in developing ways to usurp VM technology to insidious purposes. So security professionals need to keep pace, or preferrably outpace the inroads made by "the bad guys."

One set of researchers have managed to develop a rootkit, appropriately named Vitriol, that demonstrates how its possible to coopt Intel's VT-x. In effect, Vitriol takes over as a the host OS and moves the original host OS into the mode of guest OS, transparently without the computer user's knowledge. The team gave a presentation of Vitriol at the recent Black Hat conference in Las Vegas. At least some of the team are slated to attend Microsoft'invitation-only Blue Hat conference, which is taking place this week, to present their work in more detail.

Writing in Monasato's blog, Dino Dai Zovi, gives an introduction to the presentation:

Hardware-supported CPU virtualization extensions such as Intel’s VT-x allow multiple operating systems to be run at full speed and without modification simultaneously on the same processor. These extensions are already supported in shipping processors such as the Intel(r) Core Solo and Duo processors found in laptops released in early 2006 with availability in desktop and server processors following later in the year. While these extensions are very useful for multiple-OS computing, they also present useful capabilities to rootkit authors. On VT-capable hardware, an attacker may install a “rootkit hypervisor” that transparently runs the original operating system in a VM. This presentation will describe how VT-x can be used by rootkit authors and demonstrate a rootkit based on these techniques that migrates the running operating system into a hardware virtual machine on the fly and installs itself as a rootkit hypervisor. Hypervisors of this sort can also be used to bypass PatchGuard on 64-bit systems. The presentation will conclude with a demonstration of Vitriol, a VT-x based rootkit.

Zovi clarified the previous introduction statements:

There has been some confusion around how or whether hypervisors can "bypass" PatchGuard. This is not an attack against or weakness in PatchGuard itself, it is more a demonstration of how a hypervisor controls the entire universe in which an operating system runs and can mislead or lie to any operating system running inside it, thus defeating security defenses running on the guest VM.
Vitriol has got to be unnerving to Intel, and Microsoft too for that matter. I think this is just the beginning of what we'll see relating to hypervisor exploitation. Stay tuned.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.