Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to detect a hypervisor rootkit


  • Please log in to reply
6 replies to this topic

#1 Romeo29

Romeo29

    Learning To Bleep


  • BC Advisor
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:02:14 PM

Posted 31 October 2010 - 10:45 AM

Hi,

I was explaining a group how they can use BlackLight, RootkitRevealer and GMER etc to detect rootkits.Then somebody popped up a question of Hypervisor Rootkits and BluePill and I had no 'good' answer.
How can one detect a hypervisor rootkit in a reliable manner, specially if you are running the computer inside the guest OS ? Are there any tools available to deal with such rootkits?

Thanks all :thumbsup:

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,957 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:14 PM

Posted 01 November 2010 - 08:44 AM

Discussions about Hypervisor Rootkits have been around for several years now and there are many articles about the concept.

Rootkits have been created as Type II Hypervisors in academia only as proofs of concept. By exploiting hardware features such as Intel VT or AMD-V, this type of rootkit runs in Ring -1 and hosts the target operating system as a virtual machine, thereby enabling the rootkit to intercept all hardware calls made by the original operating system. Unlike normal hypervisors, they do not have to load before the operating system, but can load into an operating system before promoting it into a virtual machine. A hypervisor rootkit does not have to make any modifications to the kernel of the target in order to subvert it—however that does not mean to say that it cannot be detected by the guest operating system, as timing differences may for example be detectable in CPU instructions. The "SubVirt" laboratory rootkit, developed jointly by Microsoft and University of Michigan researchers, is an academic example of a virtual machine based rootkit (VMBR), while Blue Pill is another. In 2009, researchers from Microsoft and North Carolina State University demonstrated a hypervisor-layer anti-rootkit called Hooksafe that provides generic protection against kernel-mode rootkits

Rootkit: Hypervisor level
SubVirt: Implementing malware with virtual machines

...Blue Pill is the name that Rutkowska gave for this new breed of rootkits that take advantage of AMD’s Pacifica virtualization technology called SVM (Secure Virtual Machine)...

Blue Pill: The first effective Hypervisor Rootkit

Some related articles;
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Romeo29

Romeo29

    Learning To Bleep

  • Topic Starter

  • BC Advisor
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:02:14 PM

Posted 02 November 2010 - 07:18 AM

Thank you quietman7 :thumbsup: Again a very detailed answer from you :flowers:

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,957 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:14 PM

Posted 02 November 2010 - 08:05 AM

You're welcome.

I'd rather provide more detail as part of an explanation, than not enough information which may not fully address a question.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 HelpMe0ut

HelpMe0ut

  • Members
  • 51 posts
  • OFFLINE
  •  
  • Local time:02:14 PM

Posted 26 May 2013 - 10:37 PM

Sorry to necro this thread but if anyone is around who can post some working links on how to perform a time attack to see if there is an active hypervisor rootkit, it would be much appreciated. I was infected pretty bad a while back, tryed full diskpart and delete/0 format the partitions, but seems even after fresh install my windows 8 os is being hijacked. I noticed I had warnings in my event viewer on multiple suspicious activities and also noticed my boot time was rediculuosly slow, and I have a 2013 top notch sony vaio e series with ram/rom upgrades, touch screen, the works. Also I noticed when in the reformat mode where you can choose to format and delete partitions, when i delete all the visible partitions its only saying 932.5 GB on the drive. The machine ram is 8gb and the Rom is 1TB=1024gb. Not sure why there is 80+ gb not accounted for.

#6 bigrobifer

bigrobifer

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:01:14 PM

Posted 28 June 2014 - 11:42 PM

http://www.bleepingcomputer.com/forums/index.php?app=forums&module=post&section=post&do=new_post&f=45

http://www.bleepingcomputer.com/forums/t/538108/backdoorexploitwin32krootkitbootkit-im-all-messed-up-please-help/



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,957 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:14 PM

Posted 29 June 2014 - 07:02 AM

From your open topic here

...This is no longer malware and not my forte.

If you with to proceed I suggest you start a new topic in the Windows 7 Forum
http://www.bleepingcomputer.com/forums/forum167.html

So why are you posting links here?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users