[Dshield] The race to the bottom - Virtualizing all your servers - security measure or not?

Tony Earnshaw tericssonearnshaw at barlaeus.nl
Wed Aug 30 18:04:03 GMT 2006

on den 30.08.2006 Klokka 07:59 (-0700) skreiv dianalucy00-
sans at yahoo.com:

> I was reading an article in Network World, when a term caught my eye, 
> VM Rootkits was discussed in eweek 5 months ago (see VM Rootkits, 
> "http://www.eweek.com/article2/0,1895,1936666,00.asp").  For those that 
> don't know - and please if I am wrong let me know -a VM Rootkit basically 
> hoists itself between the hardware and operating system.  The rootkit will 
> virtualize the OS so no matter what you do on the OS, you'll never know the 
> rootkit is there.  I know it's old news to some, but it was the first I had heard 
> of it.  I lamented to my cohort that we are basically screwed. 
> Rather than throw in the towel, I thought what if I get there first. In other words, 
> by virtualizing all my servers on top of a Linux host with a firewall and SELinux 
> enabled, that I might beat that threat or at least delay it until I can figure out 
> what else to do.

As far as I can glean from the article, for Linux one'd have to be
running vmware or some similar virtual machine system software first.
Couldn't care less about Windows, in fact ...
> This is defense in depth on steroids - don't you think? 

I'd first like to know the underhand technique whereby the root kits get
placed on the Linux machine in the first place. AFAICS basic Unix
coupled with paranoid ISO 17799 security and forensic experience would
go a long way to preventing this.



Tony Earnshaw

More information about the list mailing list