funsec mailing list archives

RE: eWeek: Government-Funded Startup Blasts Rootkits

From: "Justin Polazzo" <jpolazzo () thesportsauthority com>
Date: Thu, 27 Apr 2006 08:41:07 -0600

I just asked them about Vmware in my reply today. Hopefully we will hear
something back by Friday. You may be right in that a Vmware "infection"
would not be "malware" but just a normal operation.

It looks like they detect weird API calls, hooks into memory, subversion
of the windows kernel ;), etc. A VM OS would not be a subversion of the
kernel per say, just the addition of another. Although from a CPU EIP
point of view, I think the addition of another kernel would register in
just noise, if not heuristics monitoring. Either way, Good call.


I also asked them about directed attacks from the host in the form of
buffer overflows to their logging and analysis engines. I am sure they
have covered it, but one nightmare scenario would be if you could
compromise the PCI card, leaving the host intact, and still be able to
transmit the "everything's fine" signal to the admin workstation.

Even given the following from section 4.2 of the PDF:

"However, in standalone
mode, the EBSA can be configured to deny all configuration
reads and writes from the host processor, thereby
making its execution path immutable by an attacker on the
Host"

If there was a stack exception created by their monitoring software, the
instructions would be coming from the card, and not the host kernel.

Like you said, only time will tell.

-JP



-----Original Message-----
From: Technocrat [mailto:dj.technocrat.listmail () gmail com] 
Sent: Thursday, April 27, 2006 7:51 AM
To: Justin Polazzo
Cc: funsec () linuxbox org
Subject: Re: [funsec] eWeek: Government-Funded Startup Blasts Rootkits

On 4/27/06, Justin Polazzo <jpolazzo () thesportsauthority com> wrote:

Just in case anyone is still interested, I got a link to a paper 
released in '04, but according to the reps:

"We've made substantial improvements since the research prototype, but

the base methods of how we work and protect ourselves will be in the 
paper."

http://www.komoku.com/pubs/USENIX-copilot.pdf


Hey JP, no word from the vendor on our VM rootkit question??

I suppose it doesn't matter what they say...only the test of time will
seal the deal.

-Technocrat

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

RE: eWeek: Government-Funded Startup Blasts Rootkits, (continued)
- - RE: eWeek: Government-Funded Startup Blasts Rootkits Larry Seltzer (Apr 25)
  - RE: eWeek: Government-Funded Startup Blasts Rootkits Barrie Dempster (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
  - Re: eWeek: Government-Funded Startup Blasts Rootkits Technocrat (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 25)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 27)
  - Re: eWeek: Government-Funded Startup Blasts Rootkits Technocrat (Apr 27)
  - RE: eWeek: Government-Funded Startup Blasts Rootkits Larry Seltzer (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Blanchard_Michael (Apr 27)
- RE: eWeek: Government-Funded Startup Blasts Rootkits Justin Polazzo (Apr 27)