Virtual machines and virtualization are becoming more popular. For enterprises, virtualization makes server management much easier. But with great new advances in enterprise technology come new techniques to exploit these new advances. In March of this year, the University of Michigan and a Microsoft research team wrote a paper on how it is possible to backdoor a virtual machine.
A prototype of this rootkit, named "subvirt," was created to test this idea. It works by exploiting a vulnerability and then dropping a VMM (virtual machine monitor) underneath a Windows or Linux host. Once the target OS is loaded into a virtual machine, the rootkit becomes impossible to detect because no security software running on the target system can access its position. This really raises the bar for antivirus and anti-spyware/malware applications to try to detect such a rootkit.
You can read more detail about this study at:
http://www.eecs.umich.edu/virtual/papers/king06.pdfAlso, many undocumented back-channels allow various functionalities to communicate with the virtual machine. These back-channel functions allow various actions, such as communicating between the host and a guest operating system and connecting and disconnecting devices. An attacker can use these back channels to further explore a network.
You can read more details about these various back-channels at:
http://chitchat.at.infoseek.co.jp/vmware/index.htmlCourtesy of The Neohapsis Security Threat Watch Team
Don
General Certification : CPT Practical Submission
