Effective Detection of virtual malware

Can this malicious rootkit software, in the form of a simulated software virtual machine, be detected? When security researchers proposed their latest findings at the hackers' conference, the discussion participants were crowded.

Joanna Rutkowska, a researcher at Invisible Things, described and proved her R & D of the rootkit tool Blue Pill at last year's hackers' conference, which made one night famous, this has aroused great interest in the virtual rootkit Technology. On Wednesday, Rutkowska came to the hackers' conference to acknowledge that Edgar Barbosa, a researcher, has been the most successful in Blue Pill detection. She and her colleagues, researcher Alexander Tereshkin, said after a difficult penetration test, "congratulations, Edgar" and said she and her colleagues have not found a way to bypass this test, edgar's detection method is called "Anti-based" detection. Edgar detailed this detection method in the previous paper of the SyScan meeting in February. Rutkowska also said that she has already put Blue Pill code on the Internet, which can be downloaded from the public. A Blue Pill project has been established. Blue Pill has seen many variants since its release last year, including a super monitoring nest, it hides a virtual machine malware and nest in another virtual machine malware. Rutkowska said, "Now you can upload your own Blue Pill freely ".

On the other hand, Rutkowska also discovered Microsoft's code signature security vulnerability. Code signature is a kernel protection technology that uses Microsoft's authorized signature certificates, rutkowska showed an example of an attack using this vulnerability last year. It allows attackers to upload malware on 64-bit Vista, after a few months, Microsoft has modified the corresponding API to fix the vulnerability. However, on Wednesday, Rutkowska said that she and her colleague Tereshkin discovered a third-party driver kernel protection vulnerability on Vista, which is also about digital signatures and is a very obvious vulnerability. At the same time, Rutkowska warned that it would be too easy to obtain a Microsoft-authorized digital signature certificate, and it could be completed in one stop at $250. Microsoft did not respond immediately.

At the previous seminar at the hackers' conference titled "don't tell Joanna that the virtual Rootkit is dead, matasano's security researcher Thomas Ptacek, Root lab Nate Lawson, and Symantec's Peter Ferrie described how to use three technical solutions to find a way to detect Virtual Machine malware, the three technologies they use are bypass attacks, advantage attacks, and performance event counts.

However, Ptacek said the final research focuses on the detection of virtual malware Vitriol, which was developed by researcher Dino Dai for VMware. This is because Vitriol is one of the only virtual malware samples. Previously, Rutkowska refused to disclose Blue Pill code. Three researchers said they would publish their findings to the public and release a framework software called Samsara that detects virtual malicious code in recent days.