[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] malicious hypervisor aka root-kit hypervisor threat is rel
From: Mikhail Utin <mikhailutin () hotmail ! com>
Date: 2017-06-23 16:15:07
Message-ID: DM5PR11MB1643FE6A080C126B23412C53AAD80 () DM5PR11MB1643 ! namprd11 ! prod ! outlook ! com
[Download RAW message or body]
We would like to post and discuss at once Malicious Hypervisor threat that =
exists since 2006 but was ignored.
In 2006, Michigan University (MU) team with the participation of Microsoft =
research team published an article describing the development of the most a=
dvanced malware - "SubVirt: Implementing malware with virtual machines".
The research has been supported by US government and Intel Corporation. Th=
e research is the proof of concept =96 virtualization technology can be use=
d to develop a malware (Malicious Hypervisor =96 MH) which can access any p=
art of operating system and user applications, and thus user data. This is =
computer stealth technology by the definition =96 such hypervisor cannot be=
identified by currently available security tools.
Around 2007 =96 2008 a hypervisor has been found in Intel Corporation mothe=
rboards which have been shipped to Russia for the development of a special =
computer system. Russian scientist published the article describing how he =
found the malware in BMC BIOS flash memory. The article is available in Eng=
lish now.
The scientist observed that the hypervisor was gradually improving from one=
shipment to the next one and eventually became completely invisible and wo=
rking with his (now nested) hypervisor.
In 2013, yet another MU research proved that millions of servers worldwide =
can be hacked via network management interface and malware loaded onto them=
. This malware could include the MH we are discussing. That represents a th=
reat of an enormous magnitude, because the MH will be working from BMC memo=
ry and on Ring -2 level, thus having ultimate control of the computer syste=
m.
The situation now is that the most advanced threat had been successfully ig=
nored during more than 10 years and even now we do not have MH identificati=
on software available on market.
We believe that there are at least three instances have been existing in th=
e wild since 2010.
Considering MH ability to access to any computer data and do whatever the M=
H owner wants, we can claim that none of computer systems since 2006 can be=
compliant to any data protection regulation as there is no tools for at le=
ast the identification of MH. Such regulations include, but are not limited=
to US HIPAA, US NIST SP-800, ISO 27000, DSS, and newcomer =96 EU General D=
ata Protection Regulation.
Complete information is posted on www.rubos.com<http://www.rubos.com> site.=
Please, join the discussion here or, if you need to, please use email add=
resses from Rubos, Inc. site to communicate your questions.
We need to fix the situation until cyber terrorists develop or reverse engi=
neer a hypervisor and use it to control millions computers around the globe.
Thank you
Mikhail Utin, CISSP
Rubos, Inc.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic