How can rootkit hypervisors affect operating system security?

How can rootkit hypervisors affect operating system security?

What can rootkits and rootkit hypervisors do to an operating system?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

In short, they can do whatever their creators want! A rootkit provides the attacker root access to the computer on which it has been installed. This gives the attacker all rights and permissions to act as the administrator of the computer. A rootkit typically intercepts API (application programming interface) calls, such as requests to a file manager program like Windows Explorer. Malware writers use this low-level system manipulation to make their programs virtually undetectable. Some even create "kernel rootkits," which modify the kernel component of the targeted operating system, corrupting the OS at such a low level that the rootkit is difficult to detect and completely remove.

A rootkit hypervisor is similar to a rootkit in that it gives the attacker control over the infected machine. However, a rootkit hypervisor is even more powerful and dangerous since a hypervisor is a virtualization software layer that runs between the operating system and hardware, acting as a virtual machine (VM) monitor. This scenario allows multiple operating systems to run on the same processor at the same time. One of the key benefits of hypervisor technology is that it creates a robust system. Even if one operating system were to crash, the others could continue working without interruption. Both AMD and Intel are creating virtual machine-enabled chips. Intel's Core Solo and Duo processors are examples.

A rootkit hypervisor doesn't rely on hacking the kernel, rather it assumes control by running the original operating system in a virtual machine. By controlling the complete universe in which an operating system runs, it deceives any operating system running inside it, thus defeating the guest VM's security defenses. This means there's really no practical way to detect the attack except through extreme measures.

During the Black Hat 2006 convention, there was a demonstration of a rootkit, code-named Blue Pill, that used AMD's SVM/Pacifica virtualization technology to target Microsoft's Windows Vista operating system. This rootkit supposedly traps a running instance of the operating system into a virtual machine, allowing it to act as a hypervisor. The rootkit can then gain complete control of the computer while being completely undetected. As yet, there have been no virtualization-based rootkits seen in the wild, but there most likely will be, particularly as organized crime invests in sophisticated malicious code development. Although business versions of Microsoft's Windows Vista can be run as virtual machines, the Home Basic and Home Premium editions, thankfully, cannot. I certainly agree with Microsoft when it says that consumers don't understand the risks of running virtual machines!

More information:

  • Learn the consequences of a hacked virtual machine.
  • Prevent an FU rootkit from spreading throughout a network.

    • This was first published in January 2007