VMX-rootkit : implementing malware with hardware virtual machine extensions

• Main Author: Esoul, O.
• Published: University of Salford 2008
• Subjects: 005.8
• Online Access: http://ethos.bl.uk/OrderDetails.do?uin=uk.bl.ethos.575040

Stealth Malware (Rootkit) is a malicious software used by attackers who wish to run their code on a compromised computer without being detected. Over the years, rootkits have targeted different operating systems and have used different techniques and mechanisms to avoid detection. In late 2005 and early 2006, both, Intel™ and AMD™ incorporated explicit hardware support for virtualization into their CPUs. While this hardware support can help simplify the design and the implementation of a light-weight and efficient Virtual Machine Monitors (VMMs), this technology has introduced a new powerful mechanism that can be used by malware to create extremely stealthy rootkit called hardware-assisted virtual machine rootkit (HVM rootkit). An HVM rootkit is capable of totally controlling a compromised system by installing a small VMM (a.k.a. hyper- visor) underneath the operating system and its applications without altering any part of the target operating system or any part of its applications. It places the existing operating system into a virtual machine and turns it into a guest operating system on-the-fly without a reboot. The guest operating system is then totally governed and manipulated by the malicious hypervisor. In this thesis I have investigated the design and implementation of a minimal hypervisor based Rootkit that takes advantage of Intel Visualization Technology (Intel VT) for the IA-32 architecture (VT-x) and Microsoft Windows XP SP2 as the target operating system.