Professional Documents
Culture Documents
23 Oct 06
I&W ANALYSIS -
FOLLOW THE WHITE RABBIT: VIRTUAL MACHINE ROOT KITS
INTRODUCTION
1. (U) Recently there has been a great furor in the Information Security
community regarding a new development in rootkit1 technology - Virtual Machine
Rootkits (VMRs); the brouhaha in question culminated in August of this year with the
revelation of Joanna Rutkowska's "Blue Pill"2 VMR.
2. (U) This technology is not only receiving a great deal of attention in the
professional community; a brief survey of the Internet's dark underbelly reveals that
amongst Blackhats3 and other ne'er do wells VMRs are currently the proverbial "talk
of the town".
3. (U) This paper should be considered an "early warning" - the technology will
continue to evolve in the future and considering the attention it is garnering in the
underground community, it is only a matter of time until the technology is developed
into a viable malware implementation which would, in theory, be practically
undetectable using conventional, practical countermeasures.
AIM
1
Rootkit - A set of software tools intended to conceal running processes, files or system data, thereby
allowing an intruder to maintain access to a system whilst avoiding detection.
2
Ms. Rutkowska has displayed a recent tendency to assign designations to her projects that reference
the film "The Matrix".
3
Black Hat - A malicious or criminal hacker.
1
DISCUSSION
5. (U) This section will serve to introduce the reader to the concept and
technology behind virtual machine5 (VM) technology in order to convey a basic
understanding of a VMR’s underlying technology.
8. (U) Each virtual machine can run a complete operating system and its
applications; software running within a virtual machine (including the virtualized
operating system) is designated as "guest software". All guest software including the
guest OS runs in user mode; only the VMM runs at the most privileged level (kernel
mode).
10. (U) A VMM can support multiple OSes on a single computer by multiplexing
the system's hardware, thereby providing the illusion of multiple, distinct virtual
machines all of which can run an independent OS and applications. The VMM also
isolates all resources of each virtual machine by the use of redirection.
11. (U) Several products are available that allow the user to implement virtual
machines; these include, but are not limited to:
c. Xen (*nix).
4
Samuel T. King et al. "Sub Virt: Implementing Malware with Virtual Machines".
5
Virtual Machine -A virtual machine is a operating enviroment completely defined and implemented in
software rather than hardware that functions in conjunction with, yet independent of, a physical
host/operating system.
2
12. (U) Lastly, two items are worthy of note that will be of greater importance later in
this discussion – CPU based VM extensions and newer BIOS6 implementations. The
newest generation of CPUs has implemented inherent virtualization extensions on the
chip in order to facilitate virtualization and new BIOS versions accommodate this new
technology.
13. (U) Although these extensions do not run as a native virtual machine, they do
provide improved functionality in the virtual environment. The security trade off in doing
so, however, is that the virtual machines may be more easily implemented on a host and
consume less of the host's resources. Further, recent BIOS implementations allow the
user to disable these extensions and future BIOS versions may enable users to fully
disable virtualization altogether.
15. (U) Both of the aforementioned limitations are addressed with the implementation
of VMRs; this development in rootkit technology allows significantly more control over a
machine with significantly more stealth than a mundane user/kernel level rootkit.
16. (U) This heightened degree of stealth and control is accomplished by installing a
VMM underneath an existing OS and moving the original OS into a virtualized
environment. VMRs also allow the implementation of a plethora of malicious services by
allowing them to execute in a disparate OS that is protected from the host system.
17. (U) VMRs utilize a separate virtual machine implementation known as the
"Attack OS" (AOS) that is invisible from the host and its OS; none of the system
states or events associated with the AOS are visible from the host's perspective,
effectively rendering any running applications with the AOS invisible.
18. (U) As detailed in their whitepaper "Sub Virt: Implementing Malware with
Virtual Machines",8 the Sub Virt research team described the three types of malware
that could be clandestinely implemented on a target system using the AOS:
"The ability to run invisible malicious services in an attack OS gives intruders the
freedom to use user-mode code with less fear of detection. We classify malicious
services into three categories - those that need not interact with the target system
at all, those that observe information about the target system, and those that
intentionally perturb the execution of the target system. In the remainder of this
section, we discuss how (VMRs) support each class of service.
6
BIOS - "Basic Input/Output System"; the software that is responsible for booting a computer, initializing
the hardware and handling input-output functions.
7
Samuel T. King et al, op. cit.
8
Samuel T. King et al, op. cit.
3
The first class of malicious service does not communicate with the target system.
Examples of such services are spam relays, distributed denial-of-service zombies,
and phishing web servers. A (VMR) supports these services by allowing them to run
in the attack OS. This provides the convenience of user-mode execution without
exposing the malicious service to the target OS.
The second class of malicious service observes data or events from the target
system. (VMRs) enable stealthy logging of hardware-level data (e.g. keystrokes,
network packets) by modifying the VMM’s device emulation software. This
modification does not affect the virtual devices presented to the target OS.
For example, a (VMR) can log all network packets by modifying the VMM’s emulated
network card. These modifications are invisible to the target OS because the
interface to the network card does not change, but the (VMR) can still record all
network packets. (VMRs) can use virtual-machine introspection to help observe and
understand the software-level abstractions in the target OS and applications. Virtual-
machine introspection enables malicious services to trap the execution of the target
OS or applications at arbitrary instructions. When these traps occur, a malicious
service can use virtual machine introspection to reconstruct data and abstractions
from the target system. For example, if a target application uses an encrypted
socket, attackers can use virtual-machine introspection to trap all SSL socket write
calls and log the clear-text data before it is encrypted. This logging is transparent to
the target OS and applications since the malicious code runs outside of the target
and also because virtual-machine introspection does not perturb the state of the
target system.
The third class of malicious service deliberately modifies the execution of the target
system. For example, a malicious service could modify network communication,
delete e-mail messages, or change the execution of a target application. A (VMR)
can customize the VMM’s device emulation layer to modify hardware-level data. A
(VMR) can also modify data or execution within the target through virtual-machine
introspection."
19. (U) As both the rootkit proper and any malicious services related to its
functioning are protected from the host system, VMRs are extremely difficult to
detect and/or eradicate as their state cannot be accessed by software running on the
host system; this renders standard security measures (e.g. IPS/IDS and anti-virus
solutions) that are effective against kernel/user mode rootkits completely impotent.
9
PoC - "Proof of Concept"; demonstration that in principle shows how a system may be protected or
compromised, without the necessity of building a complete working vehicle for that purpose
4
21. (U) Although SubVirt was a success from a functional standpoint, several
issues with this implementation exist, as expressed by Allessandro Perilli in his
"SecurityZero" blog:10
10
Alessandro Perilli. SecurityZero Blog. "Rootkits Powered by Virtualization".
5
22. (U) In addition to the points raised above, SubVirt also has several other
concerns that render the PoC impractical as an effective malware implementation:11
23. (U) Despite these issues, the success of the SubVirt PoC represents a grand
advance in rootkit design and effectively released the proverbial genie from the
bottle with regards to VMRs.
25. (U) The primary impetus for the design of Blue Pill was to engineer a
VMR which:
11
Joanna Rutkowska. "Subverting Vista Kernel for Fun And Profit".
12
The Popek and Goldberg virtualization requirements are a set of requirements necessary for a
computer architecture to efficiently support full system virtualization; they were introduced by Gerald J.
Popek and Robert P. Goldberg in their 1974 article "Formal Requirements for Virtualizable Third
Generation Architectures".
6
26. (U) These design goals being stated, Blue Pill differs from SubVirt in that it:
c. installs on the fly without restarting the system and without any
BIOS or boot sector modifications;
27. (U) Like SubVirt, Blue Pill technology facilitates the implementation the three
types of malicious services as discussed earlier; however, in this case, the services
would be virtually undetectable. Considering the furtive advances represented by the
Blue Pill implementation, VMR technology now displays the potential to be a viable
threat in the near future.
28. (U) Despite the threat posed by future VMRs, proactive defensive action can
be undertaken to mitigate the risk of future exploitation and/or compromise:
• BIOS Upgrades - When possible, ensure that all future BIOS upgrades
include a facility to disable virtual machine support and/or VM extensions.
13
Pacifica and VT-x are the codewords respectively assigned to AMD and Intel's VM extension solutions;
these extensions will be implemented on the new generation of processors being developed.
14
Joanna Rutkowska. "Red Pill: How to Detect VMM Using (Almost) One CPU Instruction".
7
How Deep the Rabbit Hole? - The Future
29. (U) VMRs are a relatively new technology that is still in the early stages of
development. As of this writing, all of the VMRs developed thus far are either
experimental or PoC; no practical implementation of this technology has been noted
in the wild.
30. (U) This being stated, VMRs represent a great leap forward in rootkit
technology and it is only a matter of time before it is ported to a viable rootkit
implementation; one can expect to be VMRs to be a significant threat to the integrity
of the organization's networks in the future.
31. (U) Considering the potential threat this technology may pose in the future,
the organization should be proactive and the recommendations below implemented
as soon as fiscally and technically possible.
32. (U) Although not a clear threat as of this writing, it is only a matter of time
before VMR technology is evolves to the point that it can be deployed in a viable
malware implementation.
33. (U) Bearing this in mind, the following recommendations are hereby
suggested in order to mitigate the threat to the organization:
8
34. (U) Any questions regarding this I&W report may be addressed to the
undersigned.
Attachments:
Annexes A-G
References
9
(U) Annex A – Standard System Configuration 15
15
Samuel T. King et al, op. cit.
A-1
(U) Annex B – Virtual Machine Implementation Configuration 16
The VMM provides the abstraction of a virtual machine (contained within the
dashed lines in the diagram), each of which can run a complete guest operating
system and a set of guest applications. The host operating system and its host
applications are used to provide convenient access to I/O devices and to run VM
services.
16
Samuel T. King et al, op. cit.
A-2
Annex C - Basic VMWare Virtualization Stack 17
The diagram above demonstrates the basic VMWare virtualization stack and
the placement of the VMMs and Hypervisor within the stack; most other virtualization
implementations are similar.
17
Jack Lo. "VMWare and CPU Virtualization Technology".
A-3
(U) Annex D - Full VMWare Virtualization Software Stack 18
18
Jack Lo, op. cit.
A-4
Annex E – VMWare Screen Captures
A-5
The screen captures above demonstrate a VMWare installation implementing
a Windows XP virtual machine in various stages of startup.
A-6
(U) Annex F – Operating System Compromised with VM Rootkit 19
19
Samuel T. King et al, op. cit.
A-7
(U) Annex G - Acknowledgements
This being stated, the majority of the information regarding network based
covert channels was gleaned from the works of:
A-8
References
Author unknown. "How to Write a Rootkit". Linux Magazine, Issue #69, August 2006:
pp. 22-29.
Joshi, A. et al. "Detecting Past and Present Intrusions Through Vulnerability Specific
Predicates". Proceedings of the 2005 Symposium on Operating System Principles.
October 2005. Accessed on 26 August 2006. http://www.eecs.umich.edu/~kingst/
introvirt.pdf.
King, Samuel T. et al. "SubVirt: Implementing Malware with Virtual Machines". Date
unknown. Accessed on 02 September 2006. http://www.eecs.umich.edu/virtual/
papers/king06.pdf.
Lo, Jack. "VMWare and CPU Virtualization Technology". Date unknown. Accessed on
30 September 2006. http://download3.vmware.com/vmworld/2005/pac346.pdf.
Naraine, Ryan. “VM Rootkits: The Next Big Threat?”. 10 March 2006. Accessed on
August 25 2006. http://www.eweek.com/print_article2/0,1217,a=173285,00.asp.
Ou, Geroge. “Blue Pill The First effective Hypervisor Rootkit”. 15 August 2006.
Accessed on September 23. http://blogs.zdnet.com/Ou/?p=295.
Popek, G.J et al. Communications of the ACM, Volume 17, Number 7. "Formal
Requirements for Virtualizable Third Generation Architectures". July. 1974. Accessed
on 14 October 2006. http://www.cis.upenn.edu/~cis700-6/04f/papers/
popek-goldberg-requirements.pdf.
i
Rutkowska, Joanna. "Red Pill: How to Detect VMM Using (Almost) One CPU
Instruction". November 2004. Accessed on 14 October 2006. http://invisiblethings.org
/papers/redpill.html.
Rutkowska, Joanna. "Subverting Vista Kernel for Fun and Profit". 03 August 2006.
Accessed on 02 September 2006. http://www.invisiblethings.org/papers/joanna%
20rutkowska%20-%20subverting%20vista%20kernel.ppt.
Tikhonova, Anna et al. "How Real is Virtual: Hiding Artifacts of Virtual Machines". 15
Dec 2005. Accessed on 01 September 2006. http://wwwcsif.cs.ucdavis.edu/
~tikhonov/ecs235pw/documents/paper/detectvm.ps.
ii