Re: Virtual Machine Based Rootkits

> Karp, Alan H wrote:
>> Joanna Rutkowska is the name I've seen associated with this attack,
>> which is frequently called Blue Pill, from the Matrix.  She has
>> demonstrated a running version on Vista x64 and is presenting at  
>> Black
>> Hat today.  According to reports, she was able to install the  
>> rootkit on
>> a running system, no reboot required.
>> http://www.eweek.com/article2/0,1895,1983037,00.asp is a news  
>> article on
>> the subject.
>>
>> The key point is that you're both right.  You are safer if you use a
>> virtual machine to run Windows.  However, if your base system gets
>> infected, virtualizability assures that there is no mechanism by  
>> which
>> the OS can detect the attack.
>
> That's not quite accurate; most VMMs are detectable, and AFAIK all  
> VMMs
> that run on x86 hardware (VT, Pacifica or otherwise) are detectable.
>
> It is true to say that a guest OS cannot reliably detect a VMM in a
> way that is useful to prevent this kind of rootkit attack, in general.
> After all, we don't want guest OSes to refuse to run under any VMM;
> that would be more counterproductive than helpful. Also, such a
> detection mechanism could be circumvented, if the attacker writes
> his/her code after the defender (and I believe this to be more  
> practical
> than Jed does).