AOH :: ISN-3153.HTM

'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit

'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit
'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit,1895,2032661,00.asp 

By Ryan Naraine
October 17, 2006

Updated: Microsoft's twice-yearly BlueHat summit will kick off with a 
demo of a virtualization-based rootkit that can be used to defeat the 
company's PatchGuard technology. 

Microsoft's twice-yearly BlueHat hacker summit, running Oct. 26-27, 
will kick off later this week with a demo of a virtual machine rootkit 
that can potentially be used to defeat the controversial PatchGuard 

Dino Dai Zovi, a principal at penetration-testing outfit Matasano 
Security, has been invited to Microsoft's Redmond, Wash., campus to 
showcase a hardware VM-based rootkit called Vitriol that piggybacks on 
Intel's VT-x virtualization extension. 

Zovi, an expert on exploitation techniques, 802.11 wireless attacks and 
operating system kernel security, will demo the rootkit at the 
conference, to which select members of the hacking community are invited 
to brainstorm security issues with Microsoft employees and executives.

The Vitriol presentation is an expansion of a talk given by Zovi (here 
as a PDF [1]) at the Black Hat Briefings in Las Vegas in August, and 
will include a technical explanation of how Intel's VT-x extensions can 
allow malicious hackers to install a "rootkit hypervisor" that invisibly 
runs the original operating system in a virtual machine.

Zovi plans to demonstrate how the Vitriol rootkit can migrate a running 
operating system into a hardware virtual machine on the fly and install 
itself as a rootkit hypervisor. The malicious code becomes inaccessible 
to the operating system, maintaining stealth and controlling access to 
the malware. 

Zovi, in a blog entry, claimed that hypervisors can also be used to 
bypass PatchGuard on 64-bit systems, but Stephen Toulouse, a security 
program manager for Microsoft, explained that PatchGuard prevents 
modification of the data tables and is not meant to detect hypervisors.

"In this case, there is nothing [from Zovi] to indicate the attack is 
even trying to modify the kernel itself, and I confirmed with Matasano 
that's true," Toulouse said in an e-mail sent to eWEEK. "Vitriol doesn't 
'defeat' kernel patch protection," he added.

In response, Zovi cited "confusion" around how or whether hypervisors 
can bypass PatchGuard and stressed that Vitriol is not an attack against 
[a weakness in] PatchGuard itself. "[It] is more a demonstration of how 
a hypervisor controls the entire universe in which an operating system 
runs and can mislead or lie to any operating system running inside it, 
thus defeating security defenses running on the guest VM," he explained.

Microsoft officials declined to comment on the BlueHat schedule. 
According to sources familiar with the company's plans, BlueHat v4 will 
feature a roster of well-known white hat researchers specializing in OS 
kernel hardening, database security and application threat modeling.

The source said the company is looking for "new faces" to talk at the 
two-day event. Researchers who made presentations at BlueHat v3 in March 
2006 are being invited back as attendees.

At the Spring 2006 sessions, the roster of presenters included database 
security experts David Litchfield and Alexander Kornbrust, Web 
applications security researcher Caleb Sima, Metasploit founder HD Moore 
and reverse engineering guru Halvar Flake.

Moore, Flake and Kornbrust said they will not be attending the sessions 
this week. 

Zovi's virtual machine rootkit presentation comes on the heels of a 
Black Hat demo by stealth malware researcher Joanna Rutkowska of Blue 
Pill, new technology that is capable of creating malware that remains 
"100 percent undetectable," even on Windows Vista x64 systems

Rutkowska's Blue Pill prototype uses Advanced Micro Devices' 
SVM/Pacifica virtualization technology to create an ultrathin hypervisor 
that takes complete control of the underlying operating system.

Rutkowska, who also showed off a way to defeat the device driver signing 
requirement in Windows Vista, told eWEEK she has never been invited to 
speak at Microsoft's BlueHat.

Microsoft's own Cybersecurity and Systems Management Research Group has 
also created a proof-of-concept rootkit called SubVirt that exploits 
known security flaws and drops a VMM (virtual machine monitor) 
underneath a Windows or Linux installation.

This story was updated to include comments from Microsoft's Stephen 


Visit the InfoSec News store! 

Site design & layout copyright © 1986-2014 CodeGods