Rootkit migrates Windows into virtual machine
Another virtual machine rootkit which can migrate Windows into a virtual machine (VM) while it is running was presented at the Microsoft initiated BlueHat hacker conference, held at the end of October. The rootkit, known as Vitrol, uses Intel's Virtualization Technology (VT-x, formerly Vanderpool). In contrast to software virtualization techniques, hardware-based virtualization solutions offer direct processor support.
It is then impossible for Windows or Linux, once migrated into a VM, to remove the rootkit, as it runs below their detection horizon. Virus scanners and rootkit sniffers would have no chance of protecting the system against such rootkits. Vista's new PatchGuard and driver signature kernel protection functions for 64-bit systems would also be useless. Vitriol was developed by security specialist Dino Dai Zovi and has already been presented (link to PDF file) - but not demonstrated - at the Black Hat conference. By contrast, Joanna Rutkowska gave a practical demonstration of a prototype of her Blue Pill VM rootkit at Black Hat. Blue Pill uses AMD's SVM/Pacifica virtualization solution to infiltrate a hypervisor into Windows whilst it is running. Microsoft is also looking at the effect of VM rootkits with its SubVirt proof of concept rootkit.
Selected specialists only are invited to BlueHat to discuss vulnerabilities with Microsoft. The most recent BlueHat included papers from David Litchfield, Halvar Flake, H. D. Moore and Alexander Kornbrust.
- Rootkit infiltrates Beta version of Windows Vista, report on heise Security