Virtual Machine Viruses: A Glimpse of Exploits to Come
In the olden days, viruses spread by attaching and hidding themselves into the execution sequence of a program. This way whenever a program is run the virus code is executed before the program code is. Today, viruses have evolved into much more complicated creatures. However, their basic hidding mechanism is the same. They still attach themselves into system memory and legitimate programs in a computer system.
Anti-virus makers take advantage of this fact by creating tools that scan a system for particular traits or sequences of code that can identify the offending malware. These traits or sequences are called virus signatures. The main point of a virus signature is that it takes advantage of the fact that each virus has to put itself somewhere in the system (whether it be in the filesystem or memory).
While getting my daily dose of Slashdot, I read about a new research program by MS Research and the University of Michigan that created a proof-of-concept for something called Virtual Machine Rootkits. It is described below:
The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.
Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system.
Today, scanning the PC memory and filesystem is one sure way of detecting malware. But, with a VM Rootkit the target operating system is simply running in an emulated environment. Therefore, it does not see malware in the host environment. If you shutdown the machine it is possible for the malware to write itself to a part of the filesystem that is not exposed to the target operating system. Yikes!
Scary? Well, in the near term, maybe not that scary yet. This is because VMs have such huge resource requirements that a good administrator should be able to detect that a huge chunk of computing resources are missing. But, as computing resources continue to become more abundant and VM technology matures, this may become a serious threat.
On the bright side, this type of malware still uses old school vulnerability exploitation to get into your system. Therefore, be vigilant and keep on patching those systems.
