Rootkits for VMs

As if everyday rootkits such as Sony’s recent Digital Rights Restriction, er, sorry, Management attempt weren’t annoying enough now we have the possibility of a rootkit being installed as a virtual machine monitor (VMM) on a host operating system such that the rootkit is undetectable to the guest OSes running inside the VMs.

According to a number of news reports Microsoft’s Cybersecurity and Systems Management Research Group have created “a proof-of-concept rootkit” which they call SubVirt. To install SubVirt the attacker has to gain root access to the virtual machine services which is a major hurdle before any VMs can be compromised. But once installed the rootkit can do anything it pleases without being detecable — at all! — by the guest OSes. According to The Register the Microsoft group demonstrated four malicious services “a phishing Web server, a keystroke logger, a service that scans the target file system for sensitive information and a defense countermeasure to defeat existing VM-detection systems.” The only really comprehensive defense would have to be hardware-based which rater puts the responsibility on Intel and AMD both of which have been aggressively persuing on-chip virtualization technologies. Before you dismiss this as yet another scare story just consider the potential for compromise that VM rootkits have. This implies that controlling host OSes on machines running VMMs is a crucial issue for strategic infrastructure planning. A product that might make a real foundation for such a plan is DeepFreeze from Faronics which locks down the operating system such that any changes are thrown away on the next reboot. If you are moving towards large scale VM systems deployment watch this issue, it could turn out to be really important if you want to be able to run “clean”.