The virtual machine concept was first invented by IBM primarily as a method of time-sharing extremely expensive mainframe hardware. “virtual machine” as defined by IBM is a fully protected and isolated copy of the underlying physical machine’s hardware. VMs are instances of an operating system running between the hardware and the “guest” operating system. Researchers and developers use virtual machines to conduct tests on programs without the fear of crashing the physical machines.
VMs are pretty much very helpful to any individual or group of individuals that use them, saves both time and money, but now in a research done by a team up of both Microsoft Research and the University of Michigan, virtual machines now have a very different use. It can now be the source of a new technology for rootkits. The group created prototypes for VM-based rootkits that takes hiding malware in a whole new level. A virtual machine monitor is the one responsible for managing the resources of the underlying hardware and provides abstraction for one or more virtual machines. Virtual machine monitor (VMM) resides in the most privileged level of the Operating system or the kernel mode, because of this, it is able to control the upper layers. The battle between attackers and defenders just got tougher.
Because VMMs use emulated hardware to guest OS by exporting hardware-level abstractions, the guest OS interacts with the virtual hardware as it would have in a real hardware. Interactions are then trapped by the VMM and are emulated in software. These emulation according to the research allows the guest OS to run without the modification while maintaining control over the sytem at the VMM level.
The overall structure of the VM-based rootkit is that the virtual machine-based rootkit runs beneath the existing operating system and its applications. VM-based rootkits must insert itself beneath the target operating system, it will be as if the target operating system is actually running as a guest OS. After inserting itself the VM-based rootkit can then execute a malware and the target system will see almost no difference in its resources. VMM also completely isolates the malware’s state and events from those of the target system, this makes the VM-based rootkit practically invisible from the software in the target system. But the real downside is the VMM can see all state and events in the target system like network packets or keystrokes or memory states and such. A VM-based rootkit is then able to modify these states and events. The group used their proof-of-concept to subvert both a Windows XP and Linux-based target system and implemented four examples of malicious services, these attacks are described in the researcher’s technical paper.
The prototypes are scheduled to be presented in the IEEE Symposium on Security and Privacy later in 2006.