'Vitriol' Rootkit to Demo at MS Blue Hat Hacker SummitBy Ryan Naraine | Print
Re-Imagining Linux Platforms to Meet the Needs of Cloud Service Providers
Microsoft's twice-yearly Blue Hat summit will kick off with a demo of a virtualization-based rootkit that can be used to defeat the company's PatchGuard technology.Microsoft's twice-yearly Blue Hat hacker summit, running Oct. 26-27, will kick off later this week with a demo of a virtual machine rootkit that can potentially be used to defeat the controversial PatchGuard technology.
Dino Dai Zovi, a principal at penetration-testing outfit Matasano Security, has been invited to Microsoft's Redmond, Wash., campus to showcase a hardware VM-based rootkit called Vitriol that piggybacks on Intel's VT-x virtualization extension.
Zovi, an expert on exploitation techniques, 802.11 wireless attacks and operating system kernel security, will demo the rootkit at the conference, to which select members of the hacking community are invited to brainstorm security issues with Microsoft employees and executives.
Microsoft officials declined to comment on the Blue Hat schedule. According to sources familiar with the company's plans, Blue Hat v4 will feature a roster of well-known white hat researchers specializing in OS kernel hardening, database security and application threat modeling.
The source said the company is looking for "new faces" to talk at the two-day event. Researchers who made presentations at Blue Hat v3 in March 2006 are being invited back as attendees.
At the Spring 2006 sessions, the roster of presenters included database security experts David Litchfield and Alexander Kornbrust, Web applications security researcher Caleb Sima, Metasploit founder HD Moore and reverse engineering guru Halvar Flake.
Moore, Flake and Kornbrust said they will not be attending the sessions this week.
Zovi's virtual machine rootkit presentation comes on the heels of a Black Hat demo by stealth malware researcher Joanna Rutkowska of Blue Pill, new technology that is capable of creating malware that remains "100 percent undetectable," even on Windows Vista x64 systems.
Rutkowska's Blue Pill prototype uses Advanced Micro Devices' SVM/Pacifica virtualization technology to create an ultrathin hypervisor that takes complete control of the underlying operating system.
Rutkowska, who also showed off a way to defeat the device driver signing requirement in Windows Vista, told eWEEK she has never been invited to speak at Microsoft's Blue Hat.
Microsoft's own Cybersecurity and Systems Management Research Group has also created a proof-of-concept rootkit called SubVirt that exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.
Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.