Anti Rootkit Blog

We all remember Joanna Rutkowska and the Bluepill Rootkit she demonstrated at the Black Hat conference a few months ago. She demonstrated how a rootkit could be installed using the Hardware Virtualisation provided with an AMD chip. Well now we have a new VM Rootkit called Vitriol which was developed by security specialist Dino Dai Zovi.
Dino will demonstrate Vitrol at Microsoft’s Blue Hat conference in late October.

Vitriol is a VM rootkit for MacOS X using Intel VT-x on Intel Core Duo/Solo. Dino has provided us with a PDF document of the slides he will use at the Blue Hat Conference which by the way is only open to selected security specialists.

Keep Safe

regards
Steo
www.antirootkit.com

Rootkit researcher Joanna Rutkowska has revealed that Microsoft has blocked the method that she used to install her Bluepill Rootkit.

On her blog Joanna wrote “It quickly turned out that our exploit doesn’t work anymore! The reason: Vista RC2 now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights.”

She then goes on to say that when she first demonstrated her method at the Black Hat conference recently she gave 3 ways for Microsoft to fix the exploit problem. Microsoft had choosen the easiest option to them and that was to block Raw Disk Access from usermode. This method that Microsoft chose has far reaching affects on software companies that provide Disk Editor software. These companies will now have to have a signed digital driver to access the Raw Disk Access. This also means that an attacker would “borrow” the driver from the Disk Editing Software and use it to bypass the block Microsoft has used.

The other 2 options Joanna gave were to Encrypt the Pagefile and  Disable kernel mode paging. The option Microsoft took does not make the problem go away, it just adds another layer for an attacker to get through.

Well done Microsoft you have just made the attackers work a bit harder and you have also made some look at signed drivers a bit closer and added more info to their malicious info arsenal.

Keep Safe

regards
Steo
www.antirootkit.com

The Black Hat Briefings in Las Vegas are a pointer as to the direction that particular IT trends are going. With six presentations this year dedicated to Rootkits it shows that Rootkits are fast becoming a bigger threat to users.

Gone are the days when authors wrote Rootkits for bragging rights. They are now written more by attackers trying to get their hands on sensitive information that users may have on their PC or companies on their network.

Currently to method of installing and running rootkits is to place them on the hard drive of a persons PC and get the rootkit to hide itself from all but the best anti rootkit scanner.
This year at Black Hat Joanna Rutkowska, a senior researcher at COSEINC, a Singapore-based security company, demonstrated how rootkits could be installed at an ever lower level than they are at the moment and thus provide more stealth und ultimately more longevity

Joanna Rutkowska showed how she could use AMD’s Pacifica hardware virtualization to install a rootkit and malware into Microsofts new Operating System called Vista. Another similiar method using Intel’s VT-x virtualization extension can also be used. According to Dino Dai Zovi, principal with Matasano Security LLC, rootkit authors can use VT-x to install the malicious code that is inaccessible to the running operating system, hiding and controlling access to blocks on a disk.

There is also Proof of Concept code available to install rootkits into the BIOS of your computer, although this is hard to achieve and there are no known active rootkits circulating.
John Heasman has been playing with the ability to use the Advanced Configuration and Power Interface specification for power management functions in most computers to copy data from the BIOS to the operating system. “It continues to surprise me what you can do with it,” he said. This sort of rootkit would be survive reboots and would be hard to find.

There are some interesting days ahead in the rootkit world and researchers like Joanna Rutkowska and John Heasman are way ahead in their thoughts on the next attack vector.

What ever will be next?

Keep Safe

regards
Steo
www.antirootkit.com

Joanna Rutkowska, a researcher at Singapore-based IT security firm COSEINC has developed proof of concept malware that is 100% undetectable on the machine it has infected. Joanna in her blog on Invisiblething.org says that she developed the malware that will work with AMD’s SVM/Pacifica virtualization technology and she has called it Blue Pill. Joanna had previously work on code called Red Pill which can detect whether code is running under a Virtual Machine Monitor.
The virtual machine also called a Hypervisor can take control of an entire Operating System.
Joanna said, “The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices”.
Joanna plans to demonstrate her proof of concept code at the Black Hat gathering in August. She will show how she can insert malware into a Vista installation that is totally undetectable. The user will not even see any sign that such a big development has occured on their computer.

Keep Safe

regards
Steo
www.antirootkit.com

Researchers at Microsoft Research and the University of Michigan have demonstrated that rootkits can be hidden within a Virtual Machine environment.

The researchers came up a Proof Of Concept code called Subvert that loads a Virtual Machine Monitor (VMM) that contains other malware of use to criminals like keyloggers, etc. The VMM is installed under an existing Operating system using vulnerabilities in the Operating system. When the PC is booted it loads the VMM which in turns loads the users normal Operating system, whether it be XP, Linux, etc. The user will not know the VMM is loaded as there will be no tell tale signs. The VMM does not use much processing power or memory and will not present any information to the normal OS.

“Any code running within an attack OS is effectively invisible. The ability to run invisible malicious services in an attack OS gives intruders the freedom to use user-mode code with less fear of detection,” the researchers said.

Existing anti-rootkit tools commonly rely on comparing file system and API discrepancies to check for the presence of rootkits, a technique that wouldn’t be able to unearth virtual machine malware. The researchers hope their work will help security firms adapt their technology in order to combat the new class of threat.

Keep Safe

regards
Steo
www.antirootkit.com