Death of antivirus software imminent
Angelos D. Keromytis
angelos at cs.columbia.edu
Wed Jan 2 15:53:26 EST 2008
There was a paper in IEEE Security & Privacy 2006 by Sam King on how
to do this kind of attack (his system was called SubVirt):
http://www.eecs.umich.edu/virtual/papers/king06.pdf
However, in practice it turns out this is a much harder than people
think. See Tal Garfinkel's paper on precisely this topic at HotOS 2007:
http://www.stanford.edu/~talg/papers/HOTOS07/abstract.html
-Angelos
On Jan 2, 2008, at 1:09 PM, Anne & Lynn Wheeler wrote:
> Bill Frantz wrote:
> > My favorite virtual machine use is for the virus to install itself
> > as a virtual machine, and run the OS in the virtual machine. This
> > technique should be really good for hiding from virus scanners.
>
> re:
> http://www.garlic.com/~lynn/aadsm28.htm#2 Death of antivirus
> software imminent
> http://www.garlic.com/~lynn/aadsm28.htm#4 Death of antivirus
> software imminent
>
> i commented on that in reference posts mentioning that there have been
> uses of virtual machines to study virus/trojans ... but that
> some of the new generation virus/trojans are now looking to see if
> they
> are running in virtual machine (studied?).
>
> some of the current trade-off is whether that virtual machine
> technology
> can be used to partition off basically insecure operations (which
> are widely
> recognized as being easy to compromise) and then completely discard
> the environment and rebuild from scratch after every session (sort of
> the automated equivalent of having to manually wipe an infected
> machine
> and re-install from scratch).
>
> the counter argument is that crooks can possibly also use similar
> technology to hide ... once they have infected the machine. the
> current
> issue is that a lot of the antivirus/scanning techniques are
> becoming obsolete
> w/o the attackers even leveraging virtual machine technology.
>
> The attackers can leverage the technology in an otherwise poorly
> defended machine. Some years ago there was a product claiming
> that it could operate even at a public access machine because
> of their completeness of their antivirus countermeasures ... even
> on an infected machine. I raised the issue that it would be trivial
> to defeat all such countermeasures using virtual machine technology.
> Somewhat of a skirmish resulted since they had never considered
> (or heard of) virtual machine technology ... for all i know there
> is still ongoing head-in-the-sand situation.
>
> for little topic drift ... this blog entry:
> https://financialcryptography.com/mt/archives/000991.html
>
> and
> http://www.garlic.com/~lynn/aadsm28.htm#3
> http://www.garlic.com/~lynn/aadsm28.htm#5
>
> there is some assertion that the crooks overwhelming the
> defenders countermeasures because they are operating
> significantly faster and more efficiently.
>
> however, another interpretation is that the defenders
> have chosen extremely poor position to defend ... and are
> therefor at enormous disadvantage. it may be necessary
> to change the paradigm (and/or find the high ground)
> in order to successfully defend.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list