Virtual Malware
Total Page:16
File Type:pdf, Size:1020Kb
Virtualizing Rootkits COVER STORY d a v o r r, F o to lia VIRTUALVirtualizing rootkits and the future ofMALWARE system security A new generation of rootkits avoids detection by virtualizing the compromised system – and the user doesn’t notice a thing. BY WILHELM DOLLE AND CHRISTOPH WEGENER n the typical cat-and-mouse game of Rootkits let an attacker secretly sus- Virtualization essentially acts as an- attackers and defenders, the aim of tain privileged access to a computer. A other ring with even higher privileges Ithe game is to gain or keep control of rootkit can hide processes, network con- than ring 0. Anyone who compromises the operating system (see Figure 1). Leg- nections, files, and directories to re- the virtualization environment practi- acy malware tries to escalate privileges motely control the victim’s PC, install cally controls the whole physical envi- and, if possible, to run in ring 0, the op- backdoors, sniff network packets, or log ronment on which the system runs. Mal- erating system’s kernel mode. Once it keystrokes. Once the rootkit is running ware hiding in this layer is even more gets there, the exploit, and thus the at- in kernel mode, it can filter and manipu- difficult to discover and to remove than tacker, can manipulate the system. late system call return values and very malware in kernel mode. Virtualization is often heralded as a effectively hide files, directories, and Researchers at the University of Michi- big advance for system security. Multiple processes. gan and from Microsoft Research dem- virtual systems can run on the same A rootkit with access to kernel mode onstrated an initial proof of concept hardware without the ability to influence can easily terminate applications each other. This isolation prevents a run in user mode (ring 3) by any number of standard attack techniques, normal user, including root. Malware Detector but today’s virtualization technologies Once it has conquered the ker- Target Operating System also open a whole new frontier for at- nel, the rootkit is extremely diffi- tacks that never would have been possi- cult to identify and remove. Of Host Hardware ble in the past. Experts are already talk- course, the legitimate owner of ing about a new generation of rootkits the computer can also use kernel Figure 1: Detection software can only identify that will exploit the powers of virtualiza- mode to set up an effective line malware running at the same (or a higher) level, like tion to avoid detection. of defense. the malware and the detector in this figure. MAY 2008 ISSUE 90 39 039-043_virtualsecurity.indd 39 12.03.2008 13:49:22 Uhr COVER STORY Virtualizing Rootkits work adapters. By comparing the known Application Detector physical configuration with the output Malware from commands like system-info, Target Operating System hwinfo, or the /proc filesystem, you can Host Operating System Virtual Machine Monitor (VMM) discover the differences (Figure 3). Win- dows admins will have to use the device Host Hardware manager or third-party tools. The free disk space, or free memory, Figure 2: A rootkit that attacks the virtualization layer has wide-ranging privileges. The could also point to the existence of a vir- guest operating system can’t terminate or uninstall the software. tual environment. For example, if you are unable to use the total physical size rootkit dubbed SubVirt [1] in March version is based on VMware. However, of your hard disk, the host system of a 2006, thus spawning the first generation you do need administrative privileges for virtual machine might need this space of rootkits to exploit virtualization. After the system to install the rootkit, although itself. But be careful: The host system infecting a computer, the rootkit installs an attacker could use any number of ap- might also manipulate this data, in that itself below the existing system and runs proaches to gain administrative status. it can control any kind of important out- on a virtual machine after rebooting. put to the guest system. To allow this to happen, SubVirt also Discovery modifies the boot sequence so that the Virtualization technologies such as VM- Boot Externally and Scan BIOS no longer loads the Master Boot ware or Xen are so widespread that dis- the Disk Record (MBR) belonging to the operating covering an operating system is running The rootkit described earlier, SubVirt, re- system directly but instead starts a vir- in a virtual environment does not neces- sides persistently on the hard disk; how- tual machine. The virtual machine then sarily mean you have found a rootkit. ever, these changes are very difficult to executes the BIOS and launches the op- Most diagnostic tools demonstrate the identify on the running system. To reli- erating system copied into the virtual existence of the virtual environment on ably identify an infection, you might environment via the MBR. the basis of anomalies. They measure re- need to switch off the machine, boot While users carry on working on their sponse times, with the assumption that from a different medium, and analyze – virtual – operating systems, unaware the same command should take longer the hard disk – of course, this method of what has happened, SubVirt launches to complete in a virtual environment is problematic for many servers. a second instance and performs all kinds than natively – assuming identical hard- Tools developed specifically for this of nasty tricks. The rootkit cannot be ter- ware and an identical installation. The purpose give administrators another ap- minated or uninstalled by the guest sys- effect is caused by the virtual machine proach to detecting the existence of a tem because the rootkit controls the vir- consuming CPU cycles itself. virtualized operating system. For exam- tual machine on which the victim’s This kind of automated timekeeping ple, Joanna Rutkowska released Red Pill guest system is running. Security re- might be fine to detect a legitimate vir- [2] late in 2004. It works because the searchers refer to this technique as a vir- tual machine; however, it does not rule SIDT, SGDT, and SLDT instructions exe- tual machine-based rootkit (VMBR). out the existence Figure 2 shows the new situation; the of a rootkit be- gray areas are occupied by the rootkit. cause the rootkit The attacker’s ability to control the vic- would also control tim’s system also improves because the the internal clock. rootkit can now use the Virtual Machine Also, the idea of Monitor (VMM) to manipulate, forward, using external or block arbitrary data and hardware hardware to mea- characteristics en route to the guest op- sure response erating system, without leaving the times manually slightest trace of evidence that could be does not scale detected by legacy methods. very well. The researchers demonstrated their What really ability to compromise both Windows XP gives away an in- and Linux machines, implementing fected system is proof of concept attacks with four differ- anomalies in the ent vectors, including a phishing web visible hardware server, a keyboard logger, and spyware configuration, that scans the infected system for confi- which are typical dential data. for a virtual envi- The technology used by the Windows ronment and par- version of SubVirt is based on Micro- ticularly true of Figure 3: Tools like “hwinfo” help to find the differences between soft’s Virtual PC software, and the Linux graphics and net- physical hardware and the hardware the operating system identifies. 40 ISSUE 90 MAY 2008 039-043_virtualsecurity.indd 40 12.03.2008 13:49:25 Uhr cuted by virtual systems re- itself takes care of keeping D@JJ@E> turn values different from the guest system’s and the those returned by a native VMM’s processes apart be- CPU. For example, the SIDT cause their logic is inaccessi- C@ELOD8>8Q@E<6 instruction returns the ad- ble even to ring 0 processes. dress of the interrupt table. The ability to do without As an alternative, Tobias modification steps in the Klein’s Scoopy doo [3] and VMM helps the system Jerry [4] tools will detect a achieve better performance. VMware environment. If you Some researchers have are sure that you are running started using hardware-based a system without virtualiza- virtualization as a role model tion software, positive find- for a new generation of root- ings by these tools are a real kits that benefit from the pro- indication of an active VMBR. cessor technology that allows them to insert an additional CPU-Supported hypervisor between the visi- This new generation of virtu- ble hardware and the soft- alizing rootkits might be dan- ware. The hypervisor takes gerous, but, as you might ex- control of the system and pect, this technique also has converts the original operat- some weaknesses. For exam- ing system into a virtual ple, the rootkit needs to re- guest on the fly. In contrast to boot to become active, and software-based virtualization, the reboot is easy to detect. this kind of hijacking does <m\i_Xm\gifYc\djÔe[`e^C`elo Rootkit programmers have not need a restart, and that cooked up other techniques makes it all the more difficult DX^Xq`e\fek_\e\njjkXe[6 – some based on the more to detect the intrusion. AljkXjbpflicfZXce\njX^\ekkf recent development of hard- Some rootkits use this kind i\j\im\XZfgpf]C`eloDX^Xq`e\ ware-based virtualization. of nesting technology, such Either the whole system is as Blue Pill [8] by Joanna ]fipfl virtualized – this is the case Rutkowska, which was re- with IBM’s logical partitions leased in 2006 for AMD-V, or J`dgcp[fnecfX[fliAljk8jb (LPAR [5]), for example – or Vitriol [9], which is suitable fi[\i]fidXknnn%c`elo$dX^Xq`e\% virtualization is restricted to for Intel VT thanks to Dino Zfd&Aljk8jb#Zfdgc\k\`k#Xe[ individual components, such Dai Zovi.