Re: 'Vitriol' Rootkit to Demo at MS BlueHat Hacker Summit

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 10/17/06, Fergie <fergdawg () netzero net> wrote:
> Microsoft's twice-yearly BlueHat hacker summit, running Oct. 26-27,
> will kick off later this week with a demo of a virtual machine rootkit
> that can potentially be used to defeat the controversial PatchGuard
> technology.
>
> Dino Dai Zovi, a principal at penetration-testing outfit Matasano
> Security, has been invited to Microsoft's Redmond, Wash., campus to
> showcase a hardware VM-based rootkit called Vitriol that piggybacks on
> Intel's VT-x virtualization extension.

Hmm, the last one we saw used AMD's virtualization technology and the
fact that MS was paging kernel memory. There are a few more methods to
go through it seems :-)

In the last thread about this we learned that turning off the VM
capabilities on a machine will  disable this payload. If it holds true
for this one as well then it would seem this VM technology should only
be enabled on machines that need it, while the rest of people should
disable this feature, if it isnt disabled already (its turned off by
default in Optiplexs' BIOS, not sure about other brands).

For those that run VM in the classroom, we might need to consider
discontinuing that practice for high security areas, and rebooting the
box once a day for others ;-)

-JP
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.