Thanks for that link. Good news is in order for the exploit to work
.. what they are exploiting is the "HOST" system. Ideally in a
production VMware setup .. the host and its associated management
interface should be accessible by nothing. You do however have to let a
couple of machines used to manage the virtuals connect to this. So the
exploit would mean finding that hole in a network to the target and then
exploiting a known vulnerability in open ports to compromise the target.
VMware workstation .. running on a laptop for example may offer an easy
avenue for this and would be at greatest risk. VMware server ( any
flavor ) - if set up right should not allow host access from any other
network... or in very limited amounts. . What would be really scary is
if a way was found to exploit the guest interface to gain access to the
host.. or to another guest interface. ( I know of installations that
have guest interfaces on different firewall interfaces.. or in some
cases on a SAN with different connections to different network areas.
So what they are saying is if the exploit here succeeded the guest OS
would not be aware .. this is true. However on the host system .. its
just another root kit .. and while not immediately apparent would be
detectable in the same way any other root kits are detected and they
give some examples. Problem here is im sure a lot of shops spend more
time watching the Guest OS than they do the Host OS.. since it runs
silently in the background its easy to forget about . especially in a
large enterprise installation.
Given the large size of the files and time needed to pull this off..
youd think something as simple as tripwire would be kicking out a report
long before the root kit ever took hold.. I'd love to test that some day...
Mark
A stroll through the Slashdot article got me a link to the original paper
http://www.eecs.umich.edu/virtual/papers/king06.pdf
Which specifically describes the process of infection as requiring a
reboot to be completed. So no grand advances in technique there, but
the idea is interesting, the process for infecting a Linux machine
alters the shutdown scripts...
hope you have your safe media and file hashes handy...
--
http://Zoneverte.org -- information explained
Do you know what your IT infrastructure does?
------------------------------------------------------------------------
_______________________________________________
EUGLUG mailing list
[email protected]
http://www.euglug.org/mailman/listinfo/euglug
------------------------------------------------------------------------
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 268.2.1/279 - Release Date: 3/10/2006
_______________________________________________
EUGLUG mailing list
[email protected]
http://www.euglug.org/mailman/listinfo/euglug
