100% undetectable rootkit?

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Someone has made the claim that they have created a 100% undetectable rootkit using AMD's virtualization technology called SVM/Pacifica. This rootkit, as it is hardware based rather than OS based would run on any machine that has the hardware, would run on Windows and *nix.

I've been doing some reading on other forums about this and was wondering what the developers and security experts here might have to say about this claim.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Load of cods.

1) it still has to reside somewhere on the hard drive if it's going to last past a reboot or shutdown, this is how most rootkits are detected, not in memory.

2) it still has to work through the hypervisor and to make itself hidden in the hypervisor it would need to make changes to the hypervisor which would themselves be detectable. This is how most, of not all, Linux rootkits are detected, by checking the binutils executables against what they should be.

 

As I understand this, and I may be wrong, is that it is a hardware-based rootkit. It doesn't work by subverting any of the binutils in Linux or the equivalents in Windows. It "envelops" the entire OS and as this works equally well with any OS it doesn't seem to depend on any compromised parts of the OS.

I don't pretend to understand exactly how this works, but this looks like something completely different than all rootkits that have been created up to now, at least to me anyway.

From what I understand the author has quite a bit of credibility and since she is going to be demonstrating this publicly at a large conference it seems rather unlikely to me that she would be willing to lose her credibility in such a manner.

I've seen other people say basically the same things you've said here, but it seems that your analysis is based upon the idea of rootkitting the OS, not the hardware. If I'm wrong about that explain how I'm wrong.

 

How do you rootkit the hardware without either getting into the BIOS, or getting onto the hard drive?

For example - I boot a compromised PC from a Win98se floppy. Is it still compromised?

This is the important bit. If booting with a floppy bypasses the 'rootkit' then it isn't as universal as claimed.

Harry.

 

How could booting from a floppy bypass a hardware level rootkit?

I don't see a claim that this will survive a reboot, but that once it is in place it can't be found because it runs at the hardware level, not the OS level, because it relies on specific hardware technology for it to work. At least that's what I'm understanding from this.

 

Windows XP relies on specific hardware technology to work. The hypervisor that manages all the virtualisation of the operating systems is still software and the AMD virtualisation hardware is not even required for this, it just makes it more efficient.

While the HV may be running above the OS level, and is the only code on any computer that has direct access to the virtualisation hardware, it is still software. I honestly don't care if she does believe this is a hardware hack, this is no more hardware than a device driver or OS kernel. The only way it could possibly be a hardware hack would be if she put actual tangible silicon in the physical computer.

In short: if it's physical components like chips and drives, it's hardware.

If it's something that requires no physical intervention, even if it's running above the OS level, it is still software. If it is binary signals running through unaltered silicon it is software. If you look at Amiga 500 games, they ran above the OS level due to not using an OS, still software.

 

Ummm... Have you seen the code for what is referred to as the Blue Pill? The author states that this relies specifically on the AMD Pacfica hardware, and from my reading on Pacifica and Intel's VT, Pacifica is a superset of VT technology. IOWs it has features that Intel's technology does not have, so how can you make a blanket statement like this?

I'm not saying you're wrong, but that I don't understand how you can state what you did given the two technologies. Programs written specifically for one technology may very well not run on the other one, at least according to this article, and the two main differences that AMD made are linked very closely to AMD hardware architecture.

 

<Grin> OK - *how* do you get it into the 'hardware'? With a virtual soldering iron? <giggle>
IMHO - by definition - hardware is hard, and can't be altered by software. You could argue that there is a flash/rom/something in there that alters the microcode or some such. That ain't 'hardware' to me, and as far as I can see is not what is being claimed here.

If booting from a floppy doesn't circumvent the rootkit then *where* is it hiding? The only place left is the BIOS flash ROM - time to reflash then - job done. And if you have a dual-rom bios then it won't happen anyway.

[rant] This article - like so many I see on the subject - contains a lot of 'hand-waving'. I'm not going to believe this sort of thing without some real info. [/rant]

Harry (basking in the glow of a nice bottle of wine)

 

I was referring to virtualisation in general; Pacifica is to virtualisation as 3DNow is to graphics, you can very well do the job without it but it makes the process a lot more efficient. What Pacifica does not do is anything that could not be done before, what it does do is take functions that are inefficient to operate in software and hardwire them. At the base level, it's all the same base logic operations.

Oh, and while Pacifica is a superset of VT, VT is not virtualisation and pacifica is still a subset of all possible virtualisation capabilities. As it stands, it does precisely two more things than VT and those are both related to specifics in the AMD architecture, the 64 bitness and the per-CPU memory controllers.

As for microcode, the Linux kernel can alter Intel microcode instructions and it's most definitely software. It does this by executing special instructions to upload new instructions into an area set aside for fixing instructions that are bugged. This is loaded into tiny portions of volatile RAM in the CPU that are erased per reboot.

This microcode, being code, is still software, not to mention that it would need to reside in either permanent storage, preferably the boot sector, or the BIOS which would be interesting as it would require altering a BIOS about which little is known as each one is different on each motherboard generation.

So, in short:

This virus has to reside somewhere to survive a reboot and the boot sector is too obvious.

There are many variations in BIOS structure due to different version, bugfixes and different hardware support requirements.

Even microcode is software.

Pacifica is not hardware virtualisation, it is hardware acceleration for virtualisation and it does still require a software hypervisor.

Which means:

It is most definitely detectable.

It has as much chance of spreading as I have of enjoying a passionate night with Monica Belluci.

 

Harry,

I think it's probably symantics. I realize that this is code, and thus software, but it runs below the OS level, Ring -1 vs Ring 0, and is dependent, according to the author, on specific AMD hardware so it can function. So, it's also a hardware level rootkit as the Pacifica hardware has hardware vitualization built into it and this rootkit is supposed to advantage of that.

To me the claim being made is that once this code is inserted into the system it places itself below the OS, not in the OS, and thus you can't use anything in the OS itself to detect it. That to me would make it undetectable. I haven't read anything that says it would survive a reboot, thus nothing would need to be done to the BIOS or any of the binaries in the OS. That would be necessary if the rootkit was to survive a reboot, but that isn't the claim being made as far as I can see from reading the blog.

It looks to me like this is a proof-of-concept claim. Again, I could very well be wrong, but you guys seem to be arguing against claims that aren't even being made by the author. So far I've read arguments using bios modifications, modified system binaries, rebooting to a floppy, etc... but nothing actually speaking to the claims that I see actually being made.

 

Oh, wait.

Now, from what was being described here I believed it to be much more subtle than it actually is.

However, it only tries to replace the hypervisor?

Hahahahahahahaha!

More here.

Yes, it's mathematically impossible to detect with software, not with hardware.

EDIT: PS. that it runs on ring -1 does not mean it's hardware, it's a meta-OS, that is it is itself an OS designed to run other OSs. Yes, it's undetectable to the primary OS, and possibly any other software ever run on the computer, but that does not make it totally undetectable.

 

Well, I'd appreciate it if you let me in on the joke.

Does it "only" try to replace the hypervisor? I certainly don't know. I'm not a developer and the author of the concept doesn't say one way or another. It was my assumption that it somehow works with the virtualization hardware as that is what sets Pacifica apart, but I can't verify that thought one way or another.

I ask again, how can you know in actuality what the rootkit is if you haven't seen any code? If you have seen the code, where did you see it?

 

As is said on the site you linked to in the first instance:

Blue pill is a hypervisor in and of itself so it replaces the original hypervisor in the firmware.

However, the only reason this can be done at all at this stage is because she's using development hardware which would be impractible to use if the TPM was included as you'd have to replace that chip every time you made a development change to the hypervisor.

The reason I find it funny, is because she thinks she's got this amazing new proof of concept thing that no-one knows about and yet it's something that was thought of when hardware virtualisation was first considered and countermeasures have already been developed.

 

OK. I was just curious as to how you came to your conclusions.

 

Here is an update on this. It seems the naysayers and scoffers are wrong and Joanna Rutkowska is correct. She is able to both bypass Vista's kernel signing process and install a rootkit that is completely undetectable, although she herself is currently working at finding ways to detect and prevent it along with MS, AMD, and Intel.

Hmmmm.... I wonder how many people will be saying they were wrong and she was right as the reaction here on CF to her claims was mild compared to the scoffing I saw on other forums.

You can read the rest of this article from networkworld.com here.

 

This may be a serious flaw in Vista, but it still doesn't get it past the PKI chip which is the piece of hardware, independent of operating system, that checks the validity of the hypervisor for itself.

This malware may be able to install itself, but I'd like to see it survive a reboot on production hardware.

 

Just one question, if the rootkit is 100% undetectable then how do you know of its existence in the first place?

Sorry had to get that one in there lol