Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 27 Jun 2017 02:52:16 +0000
From: Mikhail Utin <mikhailutin@...mail.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: malicious hypervisor threat was ignored but it is real

In 2006, Michigan University (MU) team with the participation of Microsoft research team published an article describing the development of the most advanced malware - "SubVirt: Implementing malware with virtual machines".

The research has been supported by US government and Intel Corporation.  The research is the proof of concept – virtualization technology can be used to develop a malware (Malicious Hypervisor – MH) which can access any part of operating system and user applications, and thus user data. This is computer stealth technology by the definition – such hypervisor cannot be identified by currently available security tools.

Around 2007 – 2008 a hypervisor has been found in Intel Corporation motherboards which have been shipped to Russia for the development of a special computer system. Russian scientist published the article describing how he found the malware in BMC BIOS flash memory. The article is available in English now.

The scientist observed that the hypervisor was gradually improving from one shipment to the next one and eventually became completely invisible and working with his (now nested) hypervisor.

In 2013, yet another MU research proved that millions of servers worldwide can be hacked via network management interface and malware loaded onto them. This malware could include the MH we are discussing. That represents a threat of an enormous magnitude, because the MH will be working from BMC memory and on Ring -2 level, thus having ultimate control of the computer system.

The situation now is that the most advanced threat had been successfully ignored during more than 10 years and even now we do not have MH identification software available on market.

We believe that there are at least three instances have been existing in the wild since 2010.

Considering MH ability to access to any computer data and do whatever the MH owner wants, we can claim that none of computer systems since 2006 can be compliant to any data protection regulation as there is no tools for at least the identification of MH. Such regulations include, but are not limited to US HIPAA, US NIST SP-800, ISO 27000, DSS, and newcomer – EU General Data Protection Regulation.

Complete information is posted on www.rubos.com<http://www.rubos.com> site.  Please, join the discussion here or, if you need to, please use email addresses from Rubos, Inc. site to communicate your questions.

We need to fix the situation until cyber terrorists develop or reverse engineer a hypervisor and use it to control millions computers around the globe.



Mikhail Utin

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.