Karp, Alan H wrote:
> Joanna Rutkowska is the name I've seen associated with this attack,
> which is frequently called Blue Pill, from the Matrix. She has
> demonstrated a running version on Vista x64 and is presenting at Black
> Hat today. According to reports, she was able to install the rootkit on
> a running system, no reboot required.
>
http://www.eweek.com/article2/0,1895,1983037,00.asp is a news article on
> the subject.
>
> The key point is that you're both right. You are safer if you use a
> virtual machine to run Windows. However, if your base system gets
> infected, virtualizability assures that there is no mechanism by which
> the OS can detect the attack.
That's not quite accurate; most VMMs are detectable, and AFAIK all VMMs
that run on x86 hardware (VT, Pacifica or otherwise) are detectable.
It is true to say that a guest OS cannot reliably detect a VMM in a
way that is useful to prevent this kind of rootkit attack, in general.
After all, we don't want guest OSes to refuse to run under any VMM;
that would be more counterproductive than helpful. Also, such a
detection mechanism could be circumvented, if the attacker writes
his/her code after the defender (and I believe this to be more practical
than Jed does).
--
David Hopwood <
david.nospam.hopwood@...>
_______________________________________________
cap-talk mailing list
cap-talk@...
http://www.eros-os.org/mailman/listinfo/cap-talk
