Loading 0 Votes - +

A New Breed of Rootkit

A new breed of rootkits are emerging into the malware scene. The new technique will render the rootkit completely undetectable because absolutely no modifications to the operating system will be necessary. Virtualization is a feature that has been present in x86 chips since the Intel 386 emerged in 1985. Aside from specialized tasks, virtualization has long been used for internal DOS emulation in Windows and used in part by virtual machines like VMWare. Only now, however, are processors fast enough to allow separate instances of virtual processes to operate in such a way as to be imperceptible to users. First demonstrated by the Microsoft engineers that designed the Stryder rootkit detection software, new rootkits are able to run beneath the operating system. The modern processor is fast enough for the host operating system to run as a virtual process of the rootkit host.

Similarly tagged OmniNerd content:

Thread parent sort order:
Thread verbosity:
0 Votes  - +
clever by starm_

This is pretty clever. If done perfectly, there\‘be no way the real OS could detect infection. Anti-virus software would have to boot from a third "external" OS. Though, I\’m sure that in reality imperfections in the virtualisation will allow for detection.

As another solution, I was thinking that maybe there could be some kind of hardware protection that looked for changes in the master boot record. But I\’m not sure even that would work. Viruses (Virii?) could avoid modifying the critical sections and replace the real OS only later in the boot process. For increased stealthyness it would even be theoretically possible to sandwich a virus between two realOS with two virtualisation processes running on top of each other.

RealOS1—>VirusOS—>RealOS2

The realOS1 would boot but it would be used only to virtually run a virus OS. Somehow the real OS would have to be modified so that it can\‘t run anything else (specially antivirus). Then the VirusOS would virtually run an untouched copy of the real OS so that you are conned into thinking you\’re running only RealOS1 when in fact you are interfacing with RealOS2. This would be really hard to do, but possible in theory.

I guess a solution would be to run your OS from a read only media obtained from a trusted source and make sure you have antivirus software that verifies that there is no emulators being run without your consent.

Share & Socialize

What is OmniNerd?

Omninerd_icon Welcome! OmniNerd's content is generated by nerds like you. Learn more.

Voting Booth

The most important factor in buying my next car is?

7 votes, 1 comment