[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] malicious hypervisor aka root-kit hypervisor threat is rel

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] malicious hypervisor aka root-kit hypervisor threat is rel
From: Mikhail Utin <mikhailutin@xxxxxxxxxxx>
Date: Fri, 23 Jun 2017 16:15:07 +0000

We would like to post and discuss at once Malicious Hypervisor threat that 
exists since 2006 but was ignored.


In 2006, Michigan University (MU) team with the participation of Microsoft 
research team published an article describing the development of the most 
advanced malware - "SubVirt: Implementing malware with virtual machines".

The research has been supported by US government and Intel Corporation.  The 
research is the proof of concept – virtualization technology can be used to 
develop a malware (Malicious Hypervisor – MH) which can access any part of 
operating system and user applications, and thus user data. This is computer 
stealth technology by the definition – such hypervisor cannot be identified by 
currently available security tools.

Around 2007 – 2008 a hypervisor has been found in Intel Corporation 
motherboards which have been shipped to Russia for the development of a special 
computer system. Russian scientist published the article describing how he 
found the malware in BMC BIOS flash memory. The article is available in English 
now.

The scientist observed that the hypervisor was gradually improving from one 
shipment to the next one and eventually became completely invisible and working 
with his (now nested) hypervisor.

In 2013, yet another MU research proved that millions of servers worldwide can 
be hacked via network management interface and malware loaded onto them. This 
malware could include the MH we are discussing. That represents a threat of an 
enormous magnitude, because the MH will be working from BMC memory and on Ring 
-2 level, thus having ultimate control of the computer system.

The situation now is that the most advanced threat had been successfully 
ignored during more than 10 years and even now we do not have MH identification 
software available on market.

We believe that there are at least three instances have been existing in the 
wild since 2010.

Considering MH ability to access to any computer data and do whatever the MH 
owner wants, we can claim that none of computer systems since 2006 can be 
compliant to any data protection regulation as there is no tools for at least 
the identification of MH. Such regulations include, but are not limited to US 
HIPAA, US NIST SP-800, ISO 27000, DSS, and newcomer – EU General Data 
Protection Regulation.

Complete information is posted on www.rubos.com<http://www.rubos.com> site.  
Please, join the discussion here or, if you need to, please use email addresses 
from Rubos, Inc. site to communicate your questions.

We need to fix the situation until cyber terrorists develop or reverse engineer 
a hypervisor and use it to control millions computers around the globe.


Thank you


Mikhail Utin, CISSP
Rubos, Inc.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Microsoft Skype v7.2, v7.35 & v7.36 - Stack Buffer Overflow Vulnerability
Next by Date: [FD] Vulnerabilities in D-Link DIR-100
Previous by thread: [FD] Microsoft Skype v7.2, v7.35 & v7.36 - Stack Buffer Overflow Vulnerability
Next by thread: [FD] Vulnerabilities in D-Link DIR-100
Index(es):
- Date
- Thread