Virtualizing rootkits and the future of system security
VIRTUAL MALWARE
Author(s): WILHELM DOLLE AND CHRISTOPH WEGENER
A new generation of rootkits avoids detection by virtualizing the compromised system – and the user doesn’t notice a thing.
In the typical cat-and-mouse game of attackers and defenders, the aim of the game is to gain or keep control of the operating system. Legacy malware tries to escalate privileges and, if possible, to run in ring 0, the operating system’s kernel mode. Once it gets there, the exploit, and thus the attacker, can manipulate the system. Virtualization is often heralded as a big advance for system security. Multiple virtual systems can run on the same hardware without the ability to influence each other. This isolation prevents a number of standard attack techniques, but today’s virtualization technologies also open a whole new frontier for attacks that never would have been possible in the past. Experts are already talking about a new generation of rootkits that will exploit the powers of virtualization to avoid detection.
Comments