VM rootkits

1 minutes read

I'm sure that many geeks remember the whole Sony Rootkit fiasco that happened not too long ago. I'm sure many people had the seem feeling that I did that it was not going to be the last time we heard about "rootkits" (and that we would probably be hearing even more about them in the future). The work that Mark Russinovich did during the Sony Rootkit debacle is stuff that I still look up to, in a big way. It was yet another data point that helped fuel my desire to learn the internals of Windows and to get a more solid understanding of how everything works.

Anyways, I digress as I'm being a bit tangential.

Some of the cool new features that are starting to pique my interest in Longhorn Server are the new hardware-based virtualization features that are being made possible by technologies like LaGrande (Intel) and Pacifica (AMD). These features could really start to help fuel the fight in IT departments around the industry to leverage virtualization packages to help control various operational costs. In my opinion, this is "A Good Thing." What's interesting though are the holes this technology might open up for various malware authors.

100% undetectable malware? According to this recent article, not only is it possible, but there is already an example out there showing how it can be done. I would be interested to see what some of the brain trust within Microsoft is thinking in regards to stopping these sort of attack vectors. Currently, Vista is set to release and be one of the most secure Windows OS's that we have ever seen. It would be unfortunate if all the work to harden the Windows Kernel would go to waste due to an open attack vector made possible by the new virtualization technologies.

My worry? If not careful, this could undermine the work that is being done to secure Vista in the eyes of the customers. I remember seeing in a previous article or two that there is a "Anti-Malware Technology Team" at Microsoft. I would have to imagine (or perhaps "radically hope" depending on your optimism or pessimism) that this team at Microsoft has started to think about this problem (and hopefully work on it).

Updated:

Leave a Comment