NEWS FROM THE LAB - Tuesday, March 14, 2006

An Old Idea Returns for Building a Better Rootkit Posted by Sean @ 08:23 GMT

SubVirt is a new proof-of-concept rootkit created by Microsoft Research and the University of Michigan. The idea is to install a rootkit that inserts itself at a lower level than the OS and then give the user a virtual machine environment that if successful, looks just like their own. An inexperienced user then might never realize that they aren�t really in control, and all of their software defenses might not realize it either.


Why is Microsoft building a better rootkit? We aren�t too sure, but to paraphrase this eWeek article published on the 10th, Microsoft hopes to use the perspective of the attacker to better understand the needs of the defender. It sounds to us a bit like the scientists that were researching nuclear fission without really thinking about the final use for the bomb that they were helping to build.

In any case the concept isn�t entirely new. In 1993, PMBS was discovered, a stealth virus as they were termed at the time. PMBS was a boot virus that traveled via infected floppy disks. Once it infected a machine, it copied itself into extended memory, switched the computer into protected mode and ran virtual V86 machine. DOS and other applications where then run from that virtual PC.