Undetectable rootkits?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

"eWeek has an article about a prototype rootkit that is implemented using
a virtual machine hypervisor running on top of AMD's Pacifica
virtualization implementation. The idea is that the target OS, or software
running on it, would not be able to detect the rootkit, because the OS
would be running virtualized on top of the rootkit. The prototype is
supposed to be demonstrated at the Syscan conference and the Black Hat
Briefings over the next month."

Here is the url:


Is it correct to say that if you don't run virtualization software of any
kind you are not subject to this risk?

Re: Undetectable rootkits?

Quoted text here. Click to load it

Well, from the details of the original uncompressed item (not found in
news aggregators such as eWeek or Slashdot, and now I guess even Usenet),
it appeared as if you dont even have to run virtualization software.

Pacifica also appears to use whats being referred to as hardware
assistance. Perhaps the hypervisor is accessed initially via those x86

So, if you are a proud owner of this stuff, its not in the virtualization
per se, or in the running of it, because the issue looks to lie within the

Hopefully someone with more or updated info will chime in.


Re: Undetectable rootkits?

Quoted text here. Click to load it

No. The rootkit installs its own virtualization software.


John (john@os2.dhs.org)

Re: Undetectable rootkits?

Quoted text here. Click to load it

As far as I've been able to tell, it's not possible to run a virtualised
system on top of another virtualised system.

So this suggests to me that if you /are/ running your own virtualisation
software (qemu, uml, vmware, etc.) then it will fail to run, thereby
alerting you to the fact that your host OS is already virtualised.


Site Timeline