There was a paper in IEEE Security & Privacy 2006 by Sam King on how
to do this kind of attack (his system was called SubVirt):
http://www.eecs.umich.edu/virtual/papers/king06.pdf
However, in practice it turns out this is a much harder than people
think. See Tal Garfinkel's paper on precisely this topic at HotOS 2007:
http://www.stanford.edu/~talg/papers/HOTOS07/abstract.html
-Angelos
On Jan 2, 2008, at 1:09 PM, Anne & Lynn Wheeler wrote:
Bill Frantz wrote:
> My favorite virtual machine use is for the virus to install itself
> as a virtual machine, and run the OS in the virtual machine. This
> technique should be really good for hiding from virus scanners.
re:
http://www.garlic.com/~lynn/aadsm28.htm#2 Death of antivirus
software imminent
http://www.garlic.com/~lynn/aadsm28.htm#4 Death of antivirus
software imminent
i commented on that in reference posts mentioning that there have been
uses of virtual machines to study virus/trojans ... but that
some of the new generation virus/trojans are now looking to see if
they
are running in virtual machine (studied?).
some of the current trade-off is whether that virtual machine
technology
can be used to partition off basically insecure operations (which
are widely
recognized as being easy to compromise) and then completely discard
the environment and rebuild from scratch after every session (sort of
the automated equivalent of having to manually wipe an infected
machine
and re-install from scratch).
the counter argument is that crooks can possibly also use similar
technology to hide ... once they have infected the machine. the
current
issue is that a lot of the antivirus/scanning techniques are
becoming obsolete
w/o the attackers even leveraging virtual machine technology.
The attackers can leverage the technology in an otherwise poorly
defended machine. Some years ago there was a product claiming
that it could operate even at a public access machine because
of their completeness of their antivirus countermeasures ... even
on an infected machine. I raised the issue that it would be trivial
to defeat all such countermeasures using virtual machine technology.
Somewhat of a skirmish resulted since they had never considered
(or heard of) virtual machine technology ... for all i know there
is still ongoing head-in-the-sand situation.
for little topic drift ... this blog entry:
https://financialcryptography.com/mt/archives/000991.html
and
http://www.garlic.com/~lynn/aadsm28.htm#3
http://www.garlic.com/~lynn/aadsm28.htm#5
there is some assertion that the crooks overwhelming the
defenders countermeasures because they are operating
significantly faster and more efficiently.
however, another interpretation is that the defenders
have chosen extremely poor position to defend ... and are
therefor at enormous disadvantage. it may be necessary
to change the paradigm (and/or find the high ground)
in order to successfully defend.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
