The "rootkit" kernel-level, are those that directly affect the operating system. Since the kernel is the highest level, and impossible to control a higher level, and then a virus (rootkit) can be easily circumvented because they have the same privileges. Here we are at the Ring 0. A solution to what was found by Joanna Rutkowska of "the invisible things " and his "blue pill" (the matrix, what you thought).
Bluepill
was founded in 2006 as a project of malware and is able to enter the Ring -1. This level is not really existent, but is a film fashioned by the builders of processors when they introduced the concept of virtualization of the CPU. Were also introduced other modes of operation as the root mode and host mode. This is to show that the hypervisor has more privileges than the operating system kernel Ring 0. Bluepill The idea is not exactly original, it in fact takes its cue from another project, this time of Microsoft Research, which had created a VM-based rootkit called "subvert". This rootkit was almost imperceptible in the system, but could be easily identified because of some changes made to the hard disk. Rutkowska has raised the archetype later. The task of
Bluepill is installed, quietly and without rebooting, above the kernel making it invisible, revealing a scanner and software configurations, only the process of virtualization your CPU. In doing so there is no way of knowing the hypervisor has been compromised or not by Bluepill because it does not touch anything in the kernel and has active contacts with it.
This is made possible thanks to virtualization technology from AMD called SVM. 
The demonstration was done on Black Hat (what better place) and was performed on a machine equipped with Vista X64. But it could also work on other OS based on x64 technology.
The demonstration was done on Black Hat (what better place) and was performed on a machine equipped with Vista X64. But it could also work on other OS based on x64 technology. 
0 comments:
Post a Comment