6 comments

[ 5.3 ms ] story [ 44.6 ms ] thread
Once your trusted space is compromised (the kernel space in this case), trying to detect or fix the compromise from that same space turns into a game of Core War: http://en.wikipedia.org/wiki/Core_War

Scanning for rootkits from a hypervisor would solve this problem... as long as your hypervisor isn't compromised itself!

This is indeed the direction the industry seems to be heading: extremely lightweight sidecar security hypervisors.
This does not look like a new development in rootkits. If I understand the article's summary: there's a rootkit that sets a hardware breakpoint on the memory it overwrote in the kernel, and checks to see if access are normal or abnormal; for abnormal access, it subs in fake value for the contents of that range of memory.

If you want to see where the state of the art in rootkits was in 2007(!), read:

http://i.i.com.com/cnwk.1d/i/z/200701/bh-dc-07-Rutkowska-ppt...

...noting that this is Joanna Rutkowska explaining how to reprogram MMUs (here with MMIO remapping) to defeat hardware DMA memory forensics.

Delusional

God says... enquiries friendship hindrance boastfulness delighting regard corner blind copyright frequent brows soaring hoar besprinkle steeping wealthy demands theft emptied singularly announcement suitable rudiments wish otherwise relation important offences issue trample surveyed deductible ordained fearfully multipliedst indued fragrant washing err Well hence interruption seemed perused followed Commandments favours manifestation refraining candid forasmuch omit spent capacities observed real cities codes adulterer requirements so dividest overspread cold defilements subject rein forced unconscious copious revealedst bushel groan calls efforts rightful disputes afterwards Arise often convert ibiblio gain colouring released now disquieted reminded receivest official