lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 23 Jun 2017 16:15:07 +0000
From: Mikhail Utin <mikhailutin@...mail.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] malicious hypervisor aka root-kit hypervisor threat is rel

We would like to post and discuss at once Malicious Hypervisor threat that exists since 2006 but was ignored.


In 2006, Michigan University (MU) team with the participation of Microsoft research team published an article describing the development of the most advanced malware - "SubVirt: Implementing malware with virtual machines".

The research has been supported by US government and Intel Corporation.  The research is the proof of concept – virtualization technology can be used to develop a malware (Malicious Hypervisor – MH) which can access any part of operating system and user applications, and thus user data. This is computer stealth technology by the definition – such hypervisor cannot be identified by currently available security tools.

Around 2007 – 2008 a hypervisor has been found in Intel Corporation motherboards which have been shipped to Russia for the development of a special computer system. Russian scientist published the article describing how he found the malware in BMC BIOS flash memory. The article is available in English now.

The scientist observed that the hypervisor was gradually improving from one shipment to the next one and eventually became completely invisible and working with his (now nested) hypervisor.

In 2013, yet another MU research proved that millions of servers worldwide can be hacked via network management interface and malware loaded onto them. This malware could include the MH we are discussing. That represents a threat of an enormous magnitude, because the MH will be working from BMC memory and on Ring -2 level, thus having ultimate control of the computer system.

The situation now is that the most advanced threat had been successfully ignored during more than 10 years and even now we do not have MH identification software available on market.

We believe that there are at least three instances have been existing in the wild since 2010.

Considering MH ability to access to any computer data and do whatever the MH owner wants, we can claim that none of computer systems since 2006 can be compliant to any data protection regulation as there is no tools for at least the identification of MH. Such regulations include, but are not limited to US HIPAA, US NIST SP-800, ISO 27000, DSS, and newcomer – EU General Data Protection Regulation.

Complete information is posted on www.rubos.com<http://www.rubos.com> site.  Please, join the discussion here or, if you need to, please use email addresses from Rubos, Inc. site to communicate your questions.

We need to fix the situation until cyber terrorists develop or reverse engineer a hypervisor and use it to control millions computers around the globe.


Thank you


Mikhail Utin, CISSP
Rubos, Inc.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ