Security Through Virtualization Obscurity…Hypervisors et al..

August 5, 2008

Security Through Virtualization Obscurity.

Originally published on Rootkit.com by HolaHola (Broken English, but better than my Russian ;))

Prologue…

Presented in the beginning of the 2008 Hypersight Rootkit Detector was immediately rumored and gained a lot of myths just like Rustock.C. Their homepage ,http://northsecuritylabs.com, here you can also download the latest version of this program. Authors of this program claimed it as
“World’s first Fourth-Generation rootkit detector”. It is a bullshit. And we will tell you why.

1. The First VIPS
2. Actual View of Things or the Mysterious Ring -1
3. Security Through Virtualization Obscurity
4. Epilogue

1. The First VIPS

Mostly rumored at the beginning this unknown North Security Lab was immediately linked with our UG North as a continuing of the RKU project.
The most most surprising here the obstinacy of some persons which begun collecting rumors and creating new ones, about the detector and about it’s authors. We would like to officially tell everybody that we have nothing with this unknown “North Security blah blah blah”. More to say, we thinking this is a another scope of former carders who are trying to begin new life with an another white project related to security. The examples of such behaviour can be found not only in Russia.

This detector uses Intel VT technology built in the new Intel chips generation Core2 and AMD-V analogue. This is kind of Blue Pill in the security sphere, and as it was with Blue Pill here more rumors and myths than real usefulness. As you understand this program will not work on the old machines without Virtualization support, that is the huge percent of all available computers. They even created the new brand name for its project – Virtual Intrusion Prevention System aka VIPS. This is kinda bullshit and as were shown by Rustock.C this old rootkit were isn’t supervised by VIPS just because it gained control on the system much more earlier and HRD were unable to decide.

2. Actual View of Things or the Mysterious Ring -1

What is the Ring 0xFFFFFFFF aka Ring -1?

It is kind of Hypervisor. You can find some part of it even now in Windows Server 2008. You can find a lot of useful information in the Mark Russinovich article about Ring -1, check his blog at Microsoft TechNet, you can also gain more information about virtualization from the VMWare Inc. publications.

Hypervisor gives ability to control the following components: i/o ports requests, memory, CPU registers. Something else? No, that is all folks. Is it enough for rootkit detection? Presumable yes? Ye.. Of course no. Why?

To do successful detection of real kernel mode backdoors aka rootkits it is not enough to simple supervise register changes or attempts to read/write at some addresses. To gain a REAL supervision over the system the antirootkit (lets call it VIPS if they so wish) should firstly control the file systems, the operation system specific data and structures. Here we are seeing the first but the dead for this concept reefs. Emulation of the file systems will reduce performance of any computer and will results in the numerous system/software configuration related bugs with third-party hardware or for example, lets take a RAID. Don’t forget about OS-dependent issues, for example with W2k08. And that is all, VIPS going to the trashcan, because what do you want – a workable computer or the totally fucked and screwed virtual machine that will hung, fly in blue screens country only when you decide to change something in the hardware etc. Another fuck for the VIPS is the its communication with operation system. No matter hows good this Virtual Machine (we believe it is very poorly coded even now, because we have successfully started this crap only after numerous attempts on the different configurations of Intel Core2 Duo/Quad) it is required the same system data and structures. And don’t you think that it is very hard to fake them specially for the this virtual machine? Nope. And what about user mode stuff? It isn’t changing registers and doesn’t attempts to write data somewhere in kernel mode, but it is not less rootkits than they kernel mode brothers And what about the other categories of rootkits, such as keyloggers for example? What about rootkits which will loads before VIPS? What about legitimate software? FSD filters? Encryption software? CD/DVD emulation software? DRM? They all will be flagged by VIPS? So it is completely unknown for what exactly this program was created because it is simple useless at this point. The same existing antirootkits (so called 1-3 generations) can find much more than any VIPS can gather through it a priory buggy and slow virtualization. Lets remember for what exactly VT was introduced, was it introduced for security software? No. We feeling yourselfs just like tourists in the fucken zoo where big boys and girls playing with monkeys and operating the words and terms they do not understand. We wouldn’t be wondered if after beta testing this “Four generation antirootkit” will became a paid program.

Call this nonsense 4 generation rootkit detector is just like call Kaspersky AV – the most technically advanced antivirus. The same edges just in profile, well, russian speaking readers will understand this point :D

Bypassing this idiocy doesn’t requires something specific. You can modify the SSDT for example without resetting write protection bit, you can successfully hide processes, drivers, files or keys without any notice of this “detector”. DKOM and DKOH still here. CmRegisterCallback still here. Trying to control all these stuff will force VIPS to output any sneezes from the system. But if the authors really wants to know, it is exists the strong methods which can help to identify VIPS and shut it fucken down. In the end user mode rootkit part can gain access to the VIPS components and simple turn them off. Of course it is needed to identify the VIPS, but at the current level of its implementation it is very to done. What about future here can be used specially organized timing attacks which will successful not only with VIPS but with Blue Pill also.

We are not telling about the hybridizing of the rootkit with operation system (this is started with Rustock.C and will be continued we for sure) and VIPS will be useless at this point. So the VIPS will require a long white list of trusted components and trusted areas, the same what we actually seen currently with HIPS. Where is the Know How here? Finally this program unfamilar with “anti” part.

This is still unknown what this program will do on the systems with disabled virtualization support. As it shows on our machines it is simple dies. Such kind of security programs have no future. The further operation system versions can and it is most likely will use the own hypervisor implementation and will not let such programs normally working. So for what purpose this all was started?

So this whole story with “World’s first Fourth-Generation rootkit detector” remembers us another Fairy Tales from Russia.

In another hand lets see hows Microsoft realized Hyper-V in Windows 2008. Hyper-V is the virtualization platform INTEGRATED with the operating system and considered as three main components: the hypervisor itself, virtualization stack and the virtualized IO model. The hypervisor basically acts to create the different “partitions” that each virtualized instance of code will run. The virtualization stack and the IO components provide interactivity with Windows itself and with the various partitions that are created. All three components work in “tandem”. Using servers with processors equipped with Intel VT or AMD-V technology (which of course must be enabled), Hyper-V interacts with the hypervisor, which is a very small layer of software that is present directly on the processor. This software hooks into threads on the processor that the host operating system can use to efficiently manage multiple virtual machines and multiple virtual operating systems, running on a single physical processor. Do you feeling the difference between dilettantes from North Security and Microsoft? Of course Hyper-V isn’t security components, but it is much more close to it than any of VIPS will be.

3. Security Through Virtualization Obscurity

It is unknown why almost all smart guys and girls in this world have completely “put on detection” (ignored it) and started inventing a bicycle. Maybe because they are not so smart guys and girls as they think?
Every new term and technology starts a ridiculous circus around it. There is the good example – Data Execution Prevention technology built in Windows XP SP2. And what, does it really helps? Mostly incompetent people starting circus around every new term and new technology, even if it is so cool as VT is. Do not look for a black cat in the darkness.

What HIDS gives to you?
Checking by in advance programmed criteria of certain places and objects of the operation system and its environment.

What is the weakness points of this?
Compromised criteria and methods, “Vision horizon” problems of antirootkits especially.

What HIPS gives to you?
Control over the system via documented and not documented features and places.

What is the weakness points of this?
Does it controlling enough? No. It is acting like intrusion software and not a part of OS. Dead-end by design, when this software can’t decide automatically it gives user to choose what he/she will do next. Rules problem. Dead-end by design when the malicious software compromises security system in the methods.

What VIPS gives to you?
Controlling? No mostly observing of the several system areas.

What is the weakness points of this?
There is no future for only VT based detection. Compromising at many points including methods, criteria and “vision horizon”. Blind fate not in VT, blind fate in developers abilities to control, predict and prevent everything.

So all this weak. Not good enough, not modern HIPS, not modern antirootkits aka HIDS not VIPS.

But it is still possible to develop a close to perfect rootkit detection and removal software, but it will be ALWAYS operation system dependent and will COMBINE the numerous technologies maybe JUST maybe including this hardware VT, but not ONLY the one harmonious name, otherwise it simply idiocy and empty advertising of nothing.

The best way to detection software will be integration of it into the operation system core, which will make it much more powerful ever seen before. And only after this you can call it – The four, five, sixth generation rootkit detection and this will not sounds like a bullshit. The best approach to the system will be – to not let any unwanted software gain control over the system. All third-party protection are vulnerable to the attacks. HIPS always will be vulnerable because of the design Trust-Not-Trust dilemma. But even now without integration exists very good and free tools capable to detect most of the known and available shit and all them will work without any VT related idiocy. Lets leave VT for Virtual Machines support and start thinking by head not ass.

HIPS as well as this VIPS gives people wrong feeling of security without giving them this security. They both compromise your computer security just by their presence at your computer. Just look on the numerous bugs inside them. Instead of HIDS this systems working 24/7/365 (always since the os startups) and slowing down your computer. Wondering, why they using the undocumented features and hooks everything what can be hooked? The same design dilemma, but here it is inside dev’s brains. You do not need all this hooking trash and you do not need this special “Hypervisor for good”. You must be an user of computer not a slave of the security though obscurity.

And yeah rootkits here just because OS is not enough.

Epilogue.

That’s how all this stuff actually looking:

Russian Former Carder (RFC) selling 0day detection software to the Naive European Casual (NEC), retrospective from bhc magazine:

RFC: Yo, bro. I have got some new eleven generation rootkit detector for sale! Wanna to buy? VT, BT, ZT technologies included!
NEC: 0_0 Sure! How much it will be?
RFC: Two hundred rubles.
NEC: Man, i don’t give a fuck where you take these rubles.
RFC: 2k bucks and we have a deal then.
NEC: Yo! Done! I love Russia.

HolaHola aka DNY / VX Heavens
EP_X0FF / VX Heavens
MP_ART / VX Heavens

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: