Security UPDATE--Virtual Machine-based Rootkits--March 22, 2006

VMBRs are more difficult than regular rootkits to install, but because they run underneath an existing OS, they can remain relatively invisible to the target OS. Learn more about VMBRs and get links to other security resources.

ITPro Today

March 21, 2006

9 Min Read
ITPro Today logo in a gray background | ITPro Today

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Esker Software

http://www.windowsitpro.com/go/whitepapers/esker/docmanagement?code=SECTop0322

SPI Dynamics

https://download.spidynamics.com/1/ad/fwi.asp?Campaign_ID=70130000000C7Tj

===============

1. In Focus: Virtual Machine-based Rootkits 2. Security News and Features - Recent Security Vulnerabilities - Zfone Makes Its Debut - Seagate and SECUDE IT Team for Stronger Mobile Security - Silently Disable Internet Controls the Easy Way 3. Security Toolkit - Security Matters Blog - FAQ - Instant Poll - Share Your Security Tips 4. New and Improved - Single Sign-On Solution for Many Apps

==========

==== Sponsor: Esker Software ==== Align compliance with business efficiency, and learn how fax-document management plays a role in your strategy. http://www.windowsitpro.com/go/whitepapers/esker/docmanagement?code=SECTop0322

==========

==== 1. In Focus: Virtual Machine-based Rootkits ==== by Mark Joseph Edwards, News Editor, mark at ntsecurity / net Virtual machine (VM) technology has many positive uses. However, when a VM is paired with a rootkit, you have a problem called a VM-based rootkit (VMBR). VMBRs aren't just theoretical nuisances. Samuel T. King and Peter M. Chen of the University of Michigan, and Yi-Min Wang, Chad Verbowski, Helen J. Wang, and Jacob R. Lorch of Microsoft Research published a new white paper that discusses VMBRs in considerable detail. The white paper, "SubVirt: Implementing malware with virtual machines," is available on the Internet and is also scheduled to be presented at the IEEE Symposium on Security and Privacy in May. VMBRs will be harder to detect than regular rootkits, but fortunately, they'll also be harder for intruders to develop and install. In a nutshell, the way a VMBR works is to load itself underneath the existing OS. The existing OS then runs as a VM on top of the VMBR. When running this way, a VMBR could go undetected unless special tools are used to look for its existence. VMBRs are possible for both Linux and Windows platforms. Causing a VMBR to become installed is the tricky part, as is usually the case with rootkits. To cause a VMBR to run underneath an existing OS, the system's boot sequence must be modified so that the VMBR loads first. Modifying the system boot sequence requires a high level of privilege or an easily duped user. The white paper authors point out several possible inroads, including remotely exploitable system vulnerabilities, a malicious bootable CD-ROM or DVD, software from a corrupt vendor, and of course malicious software run by a naive user who's logged on with Administrator privileges. The real danger of VMBRs is that due to their nature of running underneath an existing OS, they can remain relatively invisible to the target OS. A VMBR might or might not communicate with a target OS. If a VMBR is designed to launch Denial of Service (DoS) attacks, to relay mail, to establish pirate software drop points on other systems, or to host phishing Web sites, it doesn't need to communicate with the target OS. On the other hand, if the VMBR is designed to eavesdrop on keyboard, mouse, or network activity, then some amount of interaction must take place. But interaction could be minimized by modifying device drivers and emulators. The team actually developed a VMBR along with several malicious services. It also modified system instructions so that user-mode VM detection wouldn't discover the VMBR. Taking the VMBR to an even further extreme, the team was able to manipulate LEDs on some computers via the system BIOS to fool users into thinking a system was shut down when in fact it wasn't! The project is, to understate the matter, a very successful proof of concept. If you're interested in the finer details of the research, be sure to read the white paper at http://www.eecs.umich.edu/Rio/papers/king06.pdf

==========

==========

==== 2. Security News and Features ==== Recent Security Vulnerabilities If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at http://www.windowsitpro.com/departments/departmentid/752/752.html Zfone Makes Its Debut With VoIP becoming ever more popular, security of conversations is a primary concern. Phil Zimmerman, inventor of the well-known PGP software, aims to help protect VoIP users' privacy with his latest encryption product, Zfone, which was released into public beta this week. http://www.windowsitpro.com/Article/ArticleID/49707 Seagate and SECUDE IT Team for Stronger Mobile Security Last week at CeBIT 2006, Seagate Technology and SECUDE IT Security demonstrated how their products work together to better secure laptops. Together the companies' products protect data even during the system boot process. http://www.windowsitpro.com/Article/ArticleID/49677 Silently Disable Internet Controls the Easy Way Setting the kill bit for an ActiveX control is simple if you approach the task from the standpoint of knowing that a control you want to disable exists. Here's a technique for finding the class ID (CLSID) of a control and disabling the control. http://www.windowsitpro.com/Article/ArticleID/49585/

==========

==========

==========

==== Hot Spot ==== Learn to identify the top 5 IM security risks, and protect your networks and users. http://www.windowsitpro.com/go/whitepapers/symantec/topimrisks/?code=SECHot0322

==========

==== 3. Security Toolkit ==== Security Matters Blog: Not Quite Dick Tracy's Style by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters In last week's In Focus (at the first URL below), I wrote about handheld computers. Since then, I've learned about a computer that straps to your wrist. Eurotech is making a new wrist-worn PC that can run Linux or Windows CE. Learn more about it in the blog entry at the second URL below. http://www.windowsitpro.com/Article/ArticleID/49693 http://www.windowsitpro.com/Article/ArticleID/49690 FAQ by John Savill, http://www.windowsitpro.com/windowsnt20002003faq Q: How can I output in a table format the list of sites and the subnets in the site? Find the answer at http://www.windowsitpro.com/Article/ArticleID/49660 New Instant Poll Which of these methods have you used or will you use to contain your wireless network radio signals? - Reducing the AP output power - Covering your walls and windows with special materials - Using directional antennas or adding signal reflectors on your APs - Two or more of the above methods - None of the methods See the article "3 Ways to Rein in Your Wireless Signals" at http://www.windowsitpro.com/Article/ArticleID/49501 Submit your vote at http://www.windowsitpro.com/windowssecurity#poll Share Your Security Tips and Get $100 Share your security-related tips, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==========

==== Announcements ==== (from Windows IT Pro and its partners) VIP Monthly Pass Subscribers have it all! Become a VIP Monthly Pass subscriber and get continuous, inside access to ALL the online resources published in Windows IT Pro, SQL Server Magazine, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters--that's more than 26,000 articles at your fingertips. You'll also get the latest digital issue (just like the print edition, but delivered directly to your inbox) of Windows IT Pro each month. Subscribe now: https://store.pentontech.com/index.cfm?s=1&promocode=eu2763um Save 44% off the Windows IT Security Newsletter For a limited time, order the Windows IT Security newsletter and SAVE up to $80 off the cover price. You'll discover endless fundamentals on building and maintaining a secure enterprise, in-depth product coverage of the best security tools available, and expert advice on the best way to implement various security components. You'll also get unlimited access to the full online security article library (more than 1900 articles). Subscribe now: https://store.pentontech.com/index.cfm?s=1&promocode=eu2563uy

==========

==== 4. New and Improved ==== by Renee Munshi, [email protected] Single Sign-On Solution for Many Apps Beta Systems Software has extended its SAM Identity Management Suite to include a new component: SAM Enterprise Single Sign-On. SAM eSSO is part of the suite but will be marketed as a separate module. Users log on to their systems, and SAM eSSO handles subsequent logons to applications. SAM eSSO integrates with most existing applications through agents and XML parameter files. The SAM eSSO client runs under Windows, Web browsers, Linux, and UNIX. The SAM eSSO server runs under Windows. The target applications for SSO can run on any platform accessible to the network including Windows servers, mainframes, UNIX servers, Web servers, corporate databases, and Lotus Domino. The basis for SAM eSSO is the Focal Point enterprise SSO solution, which Beta Systems recently purchased from OKIOK. For more information, go to http://www.betasystems.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==========

==== Contact Us ==== About the newsletter -- [email protected] About technical questions -- http://www.windowsitpro.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]

===============

This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

https://store.pentontech.com/index.cfm?s=1&promocode=eu255xsb

View the Windows IT Pro privacy policy at

http://www.windowsitpro.com/AboutUs/Index.cfm?action=privacy

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like