SubVirt - the prototype of the next generation malware
In the last few years the most dangerous computer viruses are disappearing. Macro viruses and script viruses are almost extinct. But in the meantime there was an increase of trojan, backdoor, rootkit and spyware which can be used to remotely control a pc. There was an increment of malware that includes spyware programs from 54.2% to 66. Rootkits are becoming famous. They are used by virus writers to remotely control infected computers and use them for stealing money and perform DDOS attacks. In the Windows world the rootkit term is usually used to describe viruses and malware programs that use a special technique to hide into the system environment. In Unix environment, rootkits are usually rewritten tools of the operating system that are used to hide data from the users. For example the ls command can be rewritten so that it doesnít show certain files.
There exist user-mode rootkits and kernel-mode rootkits. User-mode rootkits are basically normal processes that can be easily detected and eliminated. Kernel-mode rootkits are hidden inside of the operating system itself and caan be very hard to detect and eliminate. SubVirt is the name of a research project directed by Microsoft with the help of the University of Michigan. Currently malware software and detection software have both control of the system at kernel-mode level. Virus writers are trying to find the best way to hide their malware in front of detection software and maintain at the same time the have maximum control over the machine. The result of this research is the VMBR, Virtual Machine Based Rootkit. A Virtual Machine is a special software layer that works between the hardware and the operating system. On a Virtual Machine also the operating system runs in user mode. The rootkit would install itself between the operating system and the hardware and would have a total control of the system.
In order to work, the VMBR needs to start up before the operating system, so itís necessary to modify the Master Boot Record in order to make it work. At computer startup the Virtual Machine would start and then it would run the operating system in a virtual environment. Potentially it can run two operating systems at the same time, the userís Windows and a specially crafted malware operating system that would be invisible to the Windows system and to the user. The problem with this type of malware software is that it would slow down the system. During their tests Microsoft noticed that the system sturtup takes about 30 seconds more with the Virtual Machine and it eats about 3% of system resources. Itís also important to point out that the virtual machines that Microsoft used had the size of about 100 megabytes, which is too much to fit in a common MBR. The entire dossier can be downloaded at http://www.eecs.umich.edu/~pmchen/papers/king06.
Information on HMAS Sydney Articles
Information on HMAS Sydney Books
Information on HMAS Sydney