Rootkits strike back in virtualization world

Quoting from eWeek:

Microsoft’s twice-yearly BlueHat hacker summit, running Oct. 19-20, will kick off later this week with a demo of a virtual machine rootkit that can potentially be used to defeat the controversial PatchGuard technology.

Dino Dai Zovi, a principal at penetration-testing outfit Matasano Security, has been invited to Microsoft’s Redmond, Wash., campus to showcase a hardware VM-based rootkit called Vitriol that piggybacks on Intel’s VT-x virtualization extension.

Zovi, in a blog entry, claimed that hypervisors can also be used to bypass PatchGuard on 64-bit systems, but Stephen Toulouse, a security program manager for Microsoft, explained that PatchGuard prevents modification of the data tables and is not meant to detect hypervisors.

“In this case, there is nothing [from Zovi] to indicate the attack is even trying to modify the kernel itself, and I confirmed with Matasano that’s true,” Toulouse said in an e-mail sent to eWEEK. “Vitriol doesn’t ‘defeat’ kernel patch protection,” he added.

In response, Zovi cited “confusion” around how or whether hypervisors can bypass PatchGuard and stressed that Vitriol is not an attack against [a weakness in] PatchGuard itself. “[It] is more a demonstration of how a hypervisor controls the entire universe in which an operating system runs and can mislead or lie to any operating system running inside it, thus defeating security defenses running on the guest VM,” he explained…

Read the whole article at source. published an interview with Anthony Liguori, Xen developer, about the use of virtualization by rootkits. You may want to read it here.