Virtualizing COVER STORY

d a v o r r, F o to lia

VIRTUALVirtualizing rootkits and the future ofMALWARE system security

A new generation of rootkits avoids detection by virtualizing the compromised system – and the user doesn’t

notice a thing. BY WILHELM DOLLE AND CHRISTOPH WEGENER

n the typical cat-and-mouse game of Rootkits let an attacker secretly sus- Virtualization essentially acts as an- attackers and defenders, the aim of tain privileged access to a computer. A other ring with even higher privileges Ithe game is to gain or keep control of can hide processes, network con- than ring 0. Anyone who compromises the (see Figure 1). Leg- nections, files, and directories to re- the virtualization environment practi- acy malware tries to escalate privileges motely control the victim’s PC, install cally controls the whole physical envi- and, if possible, to run in ring 0, the op- backdoors, sniff network packets, or log ronment on which the system runs. Mal- erating system’s kernel mode. Once it keystrokes. Once the rootkit is running ware hiding in this layer is even more gets there, the exploit, and thus the at- in kernel mode, it can filter and manipu- difficult to discover and to remove than tacker, can manipulate the system. late system call return values and very malware in kernel mode. Virtualization is often heralded as a effectively hide files, directories, and Researchers at the University of Michi- big advance for system security. Multiple processes. gan and from Microsoft Research dem- virtual systems can run on the same A rootkit with access to kernel mode onstrated an initial proof of concept hardware without the ability to influence can easily terminate applications each other. This isolation prevents a run in user mode (ring 3) by any number of standard attack techniques, normal user, including root. Malware Detector but today’s virtualization technologies Once it has conquered the ker- Target Operating System also open a whole new frontier for at- nel, the rootkit is extremely diffi- tacks that never would have been possi- cult to identify and remove. Of Host Hardware ble in the past. Experts are already talk- course, the legitimate owner of ing about a new generation of rootkits the computer can also use kernel Figure 1: Detection software can only identify that will exploit the powers of virtualiza- mode to set up an effective line malware running at the same (or a higher) level, like tion to avoid detection. of defense. the malware and the detector in this figure.

MAY 2008 ISSUE 90 39

039-043_virtualsecurity.indd 39 12.03.2008 13:49:22 Uhr COVER STORY Virtualizing Rootkits

work adapters. By comparing the known Application Detector physical configuration with the output Malware from commands like system-info, Target Operating System hwinfo, or the /proc filesystem, you can Host Operating System Virtual Machine Monitor (VMM) discover the differences (Figure 3). Win- dows admins will have to use the device Host Hardware manager or third-party tools. The free disk space, or free memory, Figure 2: A rootkit that attacks the virtualization layer has wide-ranging privileges. The could also point to the existence of a vir- guest operating system can’t terminate or uninstall the software. tual environment. For example, if you are unable to use the total physical size rootkit dubbed SubVirt [1] in March version is based on VMware. However, of your hard disk, the host system of a 2006, thus spawning the first generation you do need administrative privileges for virtual machine might need this space of rootkits to exploit virtualization. After the system to install the rootkit, although itself. But be careful: The host system infecting a computer, the rootkit installs an attacker could use any number of ap- might also manipulate this data, in that itself below the existing system and runs proaches to gain administrative status. it can control any kind of important out- on a virtual machine after rebooting. put to the guest system. To allow this to happen, SubVirt also Discovery modifies the boot sequence so that the Virtualization technologies such as VM- Boot Externally and Scan BIOS no longer loads the Master Boot ware or are so widespread that dis- the Disk Record (MBR) belonging to the operating covering an operating system is running The rootkit described earlier, SubVirt, re- system directly but instead starts a vir- in a virtual environment does not neces- sides persistently on the hard disk; how- tual machine. The virtual machine then sarily mean you have found a rootkit. ever, these changes are very difficult to executes the BIOS and launches the op- Most diagnostic tools demonstrate the identify on the running system. To reli- erating system copied into the virtual existence of the virtual environment on ably identify an infection, you might environment via the MBR. the basis of anomalies. They measure re- need to switch off the machine, boot While users carry on working on their sponse times, with the assumption that from a different medium, and analyze – virtual – operating systems, unaware the same command should take longer the hard disk – of course, this method of what has happened, SubVirt launches to complete in a virtual environment is problematic for many servers. a second instance and performs all kinds than natively – assuming identical hard- Tools developed specifically for this of nasty tricks. The rootkit cannot be ter- ware and an identical installation. The purpose give administrators another ap- minated or uninstalled by the guest sys- effect is caused by the virtual machine proach to detecting the existence of a tem because the rootkit controls the vir- consuming CPU cycles itself. virtualized operating system. For exam- tual machine on which the victim’s This kind of automated timekeeping ple, Joanna Rutkowska released Red Pill guest system is running. Security re- might be fine to detect a legitimate vir- [2] late in 2004. It works because the searchers refer to this technique as a vir- tual machine; however, it does not rule SIDT, SGDT, and SLDT instructions exe- tual machine-based rootkit (VMBR). out the existence Figure 2 shows the new situation; the of a rootkit be- gray areas are occupied by the rootkit. cause the rootkit The attacker’s ability to control the vic- would also control tim’s system also improves because the the internal clock. rootkit can now use the Virtual Machine Also, the idea of Monitor (VMM) to manipulate, forward, using external or block arbitrary data and hardware hardware to mea- characteristics en route to the guest op- sure response erating system, without leaving the times manually slightest trace of evidence that could be does not scale detected by legacy methods. very well. The researchers demonstrated their What really ability to compromise both Windows XP gives away an in- and machines, implementing fected system is proof of concept attacks with four differ- anomalies in the ent vectors, including a phishing web visible hardware server, a keyboard logger, and spyware configuration, that scans the infected system for confi- which are typical dential data. for a virtual envi- The technology used by the Windows ronment and par- version of SubVirt is based on Micro- ticularly true of Figure 3: Tools like “hwinfo” help to find the differences between soft’s Virtual PC software, and the Linux graphics and net- physical hardware and the hardware the operating system identifies.

40 ISSUE 90 MAY 2008

039-043_virtualsecurity.indd 40 12.03.2008 13:49:25 Uhr cuted by virtual systems re- itself takes care of keeping D@JJ@E> turn values different from the guest system’s and the those returned by a native VMM’s processes apart be- CPU. For example, the SIDT cause their logic is inaccessi- C@ELOD8>8Q@E<6 instruction returns the ad- ble even to ring 0 processes. dress of the interrupt table. The ability to do without As an alternative, Tobias modification steps in the Klein’s Scoopy doo [3] and VMM helps the system Jerry [4] tools will detect a achieve better performance. VMware environment. If you Some researchers have are sure that you are running started using hardware-based a system without virtualiza- virtualization as a role model tion software, positive find- for a new generation of root- ings by these tools are a real kits that benefit from the pro- indication of an active VMBR. cessor technology that allows them to insert an additional CPU-Supported hypervisor between the visi- This new generation of virtu- ble hardware and the soft- alizing rootkits might be dan- ware. The hypervisor takes gerous, but, as you might ex- control of the system and pect, this technique also has converts the original operat- some weaknesses. For exam- ing system into a virtual ple, the rootkit needs to re- guest on the fly. In contrast to boot to become active, and software-based virtualization, the reboot is easy to detect. this kind of hijacking does

nnn%c`elo$dX^Xq`e\%Zfd&Aljk8jb

039-043_virtualsecurity.indd 41 12.03.2008 13:49:26 Uhr COVER STORY Virtualizing Rootkits

be discovered offline in the course of the tem was running in a virtual environ- to be valid, permitted, or trustworthy. forensic investigation. ment, which does not necessarily mean Incorrect hash values indicate unau- The Internet is full of bulky and con- a rootkit infection. thorized changes to the system and trig- troversial discussions about how easy it To avoid discovery, Rutkowska and ger suitable responses from the evaluat- is to identify a second-generation rootkit. Tereshkin have additionally developed a ing instance, such as cancellation of the Of course, command run-time measure- program called Blue Chicken [11], which boot process or kernel panic. If the eval- ments like those described earlier will be detects timing analyses and temporarily uation and the possible response occur less reliable here because the overhead removes the malware from virtual mem- while the system is booting, this is re- is smaller (or nonexistent) thanks to the ory, thus preventing any timing anoma- ferred to as a secure boot. If this hap- host system. Because Joanna Rutkowska lies. The race between the tortoise and pens later – typically being handled by originally announced her Blue Pill as the hare – that is, the game of hiding and the operating system – this is referred “undetectable Malware,” people were discovering rootkits – is very much in to as a trusted boot. quick to prove her wrong. Many sugges- full swing. These techniques allow the adminis- tions as to detecting the rootkit by trator to verify the integrity of the whole means of timing analysis were put for- Prevention system from the boot processes to the ward. The approaches at best only man- Faced with the difficulty in identifying VMM. The TPM chip and parts of the aged to confirm that the operating sys- a rootkit once it has been installed, the BIOS act as a core root of trust for mea- need to safeguard and monitor the boot surement. When the system boots, the INFO process and the VMM becomes critical. TPM chip helps the BIOS verify parts of [1] “SubVirt: Implementing Malware with The admin’s best approach is to avoid itself and stores the hash values in the Virtual Machines” by Samuel T. King, an infection. TPM platform configuration registers. Peter M. Chen, Yi-Min Wang, et al. From a technical point of view, the After this has happened, the BIOS inves- Proceedings of the 2006 IEEE Sympo- models suggested by the Trusted Com- tigates the master boot record on the sium on Security and Privacy, http:// puting Group (TCG [12]) seem like a boot device and hands over control to www. eecs. umich. edu/ Rio/ papers/ good place to start. The key component the bootloader. king06. pdf is a Trusted Platform Module (TPM), a If the bootloader has been instructed [2] “Red Pill … Or How To Detect VMM Using (Almost) one CPU Instruction” hardware chip that implements the TCG to do so, it will carry on measuring val- by Joanna Rutkowska. http:// model on the computer’s motherboard. ues. Suitable targets are the bootloader i The TPM chip provides cryptographic configuration file, the initial RAM disk, [3] Scoopy doo: http:// www. trapkit. de/ functions and operations, which are ad- the kernel file, the VMM file, and so on. research/ vmm/ scoopydoo/ index. html dressable through the BIOS and the op- If this is done consistently, the result is [4] Jerry: http:// www. trapkit. de/ research/ erating system, to assess how trustwor- a chain of trust from the BIOS to the vmm/ jerry/ index. html thy a system is. VMM. The VMM is the master of all the [5] IBM LPAR: On top of this, the TPM chip can be guest systems and can verify their integ- http:// en. wikipedia. org/ wiki/ LPAR used to perform integrity checks during rity and respond appropriately, depend- [6] Intel Virtualization Technology: the boot process. To allow this to hap- ing on what you want to achieve, with- http:// www. intel. com/ technology/ pen, special routines for critical system out the guest systems influencing the platform-technology/ virtualization/ components calculate cryptographic process. This all sounds fine in theory, index. htm hashes and store them in the TPM chip’s but taking care of the details can be time [7] AMD Virtualization technology: http:// multicore. amd. com/ us-en/ platform configuration registers (PCRs). consuming. AMD-Multi-Core/ Quad-Core-Advan- The corresponding evaluation instance To achieve a demonstrably secure tage/ At-Work-AMD-Opteron/ compares the hash values calculated boot, the reference values for each ele- Virtualization. aspx with the stored reference values and de- ment in the chain of trust must reside in [8] Blue Pill: http:// theinvisiblethings. clares the current system configuration trustworthy memory. The only place to blogspot. com/ 2006/ 06/ introducing-blue-pill. html NeoWare [9] Vitriol: http:// www. theta44. org/ software/ The names of the two rootkits men- there is no turning back. [In his left hand, HVM_Rootkits_ddz_bh-usa-06. pdf tioned in this article, Red Pill and Blue Morpheus shows a blue pill.] You take Pill, are lifted from the movie “Matrix” the blue pill and the story ends. You [10] Blue Pill redesign: (1999). In once scene, Morpheus (Lau- wake in your bed and believe whatever http:// bluepillproject. org rence Fishburne) gives the hacker Neo you want to believe. [A red pill is shown [11] “IsGameOver() Anyone?” by Joanna (Keanu Reeves) a choice, which he has in his other hand.] You take the red pill Rutkowska and Alexander Tereshkin. to take by swallowing either the red or and you stay in Wonderland and I show Invisible Things Lab, 2007, http:// bluepillproject. org/ stuff/ the blue pill. The scene plays in an old you how deep the rabbit-hole goes. IsGameOver. ppt high-rise building. [Long pause; Neo begins to reach for the red pill.] Remember – all I am offering is [12] TCG: http:// www. Morpheus: Unfortunately, no one can be trustedcomputinggroup. org/ home told what the Matrix is. You have to see it the truth, nothing more. [Neo takes the red pill and swallows it with a glass of [13] The Matrix: http:// www. whysanity. for yourself. [Bends forwards towards water.] (Source [13]) net/ monos/ matrix3. html Neo.] This is your last chance. After this,

42 ISSUE 90 MAY 2008

039-043_virtualsecurity.indd 42 12.03.2008 13:49:31 Uhr Virtualizing Rootkits COVER STORY

store the BIOS' checksum and hash And the question of whether users contexts, but virtualization also intro- value at the start of the train of trust is in should be able to influence this is an- duces new vectors for malware. the TPM chip’s own NVRAM. Then the other hard nut to crack. Initial concepts impressively demon- BIOS must store the MBR reference val- The whole infrastructure is very low strate how rootkits can exploit virtual- ues in its own NVRAM, and the boot- level; for example, Intel’s VT follows the ization to hide malicious processes. In loader must have the reference values model with its “Secure Extensions” and the future, more implementations can be for the bootloader configuration file, and “Secure Boot” implementations. Because expected. So far, none of these state-of- so on – the verifying instance guarantees of technical complexities, production de- the-art virtualizing rootkits has appeared the trustworthiness of the next link in ployment of this feature on PC systems in the wild, but it makes very good sense the chain, including the reference values is unlikely to be worthwhile in the near to keep an eye on security in the virtual stored in that link. future. Embedded systems, mobile world. ■ phones, and PDAs, on which reference Best References value management is easier to handle, Wilhelm Dolle, CISA, CISM, CISSP Secure boot imposes some fairly strin- seem more likely candidates. (http:// www. dolle. net), is Senior Se- gent constraints on reference value A question still remains as to who the curity Consultant with HiSolutions management. This also means that the origin of trust should be: the owner of in Berlin and is a BSI-licensed ISO 27001 basic protection auditor. He admin has to replace the reference val- the system, the manufacturer, or even a has written for periodicals and also ues stored in the TPM chip after flashing third party? The owner is always in dan- serves as a university lecturer. the BIOS with new firmware, and if the ger of losing control of the system be- Christoph Wegener, CISA and CBP, bootloader codes change, the reference cause, say, a rootkit compromises all has a Ph.D. in physics and has value in the BIOS must be changed, and of these measures, or a manufacturer worked as a freelancer since 1999 so on. All of these transactions have to wants to dictate the software a user can for IT security and Open Source/

be secure, and this is only possible with install on the system. THE AUTHORS Linux at Wecon.it consulting (http:// trustworthy and authorized instances. Virtualization is increasingly making www. wecon. net). He has published If an action fails, the administrator inroads into daily server operations. The various articles and has acted as a also needs some kind of backup and virtual environment offers many security technical consultant for expert ser- vices for publishing companies. recovery mechanism to boot the system. benefits through isolation and parallel 16 PROCESSOR CORES • Quad AMD Opteron 8000 • 2U rackmount • Serial ATA or SAS RAID 16 cores from £3,758 + VAT • Up to 64GB of memory 8 cores from £2,573 + VAT • Linux OS Prices correct as of 16-10-2007

DNUK is one of the UK’s leading suppliers of workstations, servers and storage systems designed and optimised for the GNU/Linux based operating systems. From scientific to e-commerce applications, our products can be used as building blocks to create complete solutions. We’ve been building Linux computers since September 1998. www.dnuk.com [email protected] 0161 343 5333

039-043_virtualsecurity.indd 43 12.03.2008 13:49:33 Uhr