Subversive SubVirt

The IT security world is in something of an uproar – there’s a lot of discussion about a supposedly undetectable rootkit which uses virtual machine technology. The real question is, what’s all the clamor about, and do we really need to worry?

The development of the rootkit, which works at a level below the operating system, was developed at the University of Michigan in a project sponsored by Microsoft. It became public knowledge after the IEEE Symposium on Security and Privacy conference materials were published – they included the proof of concept.

The basic idea from Michigan is that malicious code can be taken beyond the bounds of the user’s operating system. To do this, it creates an additional layer (a virtual machine monitor (VMM)) between the operating system and the hardware. Once the VMM is installed and when the machine is booting, control is passed from BIOS to VMM, bypassing the normal load sequence of the user’s actual operating system. Once accomplished, all interaction between the user and the hardware will take place via the VMM.

At the same time as it launches the user’s operating system, the VMM launches another operating system, where the malicious program is executed.
The malicious code therefore has direct access to the hardware. A keylogger inside the ‘malicious’ operating system could log information, while a Trojan proxy could establish communications with a network. All such activity would be undetectable by the user, as it would be taken place beyond the bounds of the user’s operating system. Consequently, it may not be detectable from within the user’s operating system, even using the most powerful antivirus and firewall technology.

Writing malicious code isn’t something that the antivirus industry encourages. But although this proof of concept code appears to present a danger, the threat may be exaggerated.

Firstly, writing such a rootkit is very difficult, and the vast majority of virus writers simply wouldn’t be capable of it, in spite of the fact that it uses a ready made VMM engine.

Secondly, it’s impossible to hide the extra layer between the hardware and the operating system, as this layer will affect the functioning of the victim machine, and on the values of some system variables. In other words, the mere fact that it is trying so hard to hide itself actually gives its presence away!

And thirdly, detecting a virtual rootkit is actually fairly easy through casual observation. The user can keep an eye out for symptoms of infection, such as decreased system resources and sluggish performance. Indeed detection of this rootkit can be accomplished by using an extremely simple method to detect whether or not a rootkit is present – by booting the victim machine from an external device such as a USB stick, or CD – and then scanning the computer’s hard disk from the device.