By Ryan Naraine
October 17, 2006
Updated: Microsoft's twice-yearly BlueHat summit will kick off with a
demo of a virtualization-based rootkit that can be used to defeat the
company's PatchGuard technology.
Microsoft's twice-yearly BlueHat hacker summit, running Oct. 26-27,
will kick off later this week with a demo of a virtual machine rootkit
that can potentially be used to defeat the controversial PatchGuard
Dino Dai Zovi, a principal at penetration-testing outfit Matasano
Security, has been invited to Microsoft's Redmond, Wash., campus to
showcase a hardware VM-based rootkit called Vitriol that piggybacks on
Intel's VT-x virtualization extension.
Zovi, an expert on exploitation techniques, 802.11 wireless attacks and
operating system kernel security, will demo the rootkit at the
conference, to which select members of the hacking community are invited
to brainstorm security issues with Microsoft employees and executives.
The Vitriol presentation is an expansion of a talk given by Zovi (here
as a PDF ) at the Black Hat Briefings in Las Vegas in August, and
will include a technical explanation of how Intel's VT-x extensions can
allow malicious hackers to install a "rootkit hypervisor" that invisibly
runs the original operating system in a virtual machine.
Zovi plans to demonstrate how the Vitriol rootkit can migrate a running
operating system into a hardware virtual machine on the fly and install
itself as a rootkit hypervisor. The malicious code becomes inaccessible
to the operating system, maintaining stealth and controlling access to
Zovi, in a blog entry, claimed that hypervisors can also be used to
bypass PatchGuard on 64-bit systems, but Stephen Toulouse, a security
program manager for Microsoft, explained that PatchGuard prevents
modification of the data tables and is not meant to detect hypervisors.
"In this case, there is nothing [from Zovi] to indicate the attack is
even trying to modify the kernel itself, and I confirmed with Matasano
that's true," Toulouse said in an e-mail sent to eWEEK. "Vitriol doesn't
'defeat' kernel patch protection," he added.
In response, Zovi cited "confusion" around how or whether hypervisors
can bypass PatchGuard and stressed that Vitriol is not an attack against
[a weakness in] PatchGuard itself. "[It] is more a demonstration of how
a hypervisor controls the entire universe in which an operating system
runs and can mislead or lie to any operating system running inside it,
thus defeating security defenses running on the guest VM," he explained.
Microsoft officials declined to comment on the BlueHat schedule.
According to sources familiar with the company's plans, BlueHat v4 will
feature a roster of well-known white hat researchers specializing in OS
kernel hardening, database security and application threat modeling.
The source said the company is looking for "new faces" to talk at the
two-day event. Researchers who made presentations at BlueHat v3 in March
2006 are being invited back as attendees.
At the Spring 2006 sessions, the roster of presenters included database
security experts David Litchfield and Alexander Kornbrust, Web
applications security researcher Caleb Sima, Metasploit founder HD Moore
and reverse engineering guru Halvar Flake.
Moore, Flake and Kornbrust said they will not be attending the sessions
Zovi's virtual machine rootkit presentation comes on the heels of a
Black Hat demo by stealth malware researcher Joanna Rutkowska of Blue
Pill, new technology that is capable of creating malware that remains
"100 percent undetectable," even on Windows Vista x64 systems
Rutkowska's Blue Pill prototype uses Advanced Micro Devices'
SVM/Pacifica virtualization technology to create an ultrathin hypervisor
that takes complete control of the underlying operating system.
Rutkowska, who also showed off a way to defeat the device driver signing
requirement in Windows Vista, told eWEEK she has never been invited to
speak at Microsoft's BlueHat.
Microsoft's own Cybersecurity and Systems Management Research Group has
also created a proof-of-concept rootkit called SubVirt that exploits
known security flaws and drops a VMM (virtual machine monitor)
underneath a Windows or Linux installation.
This story was updated to include comments from Microsoft's Stephen
Visit the InfoSec News store!