Virtual rootkits cannot avoid detection: researchers

Rootkits that use virtualisation techniques should not present detection problems, according to researchers from Carnegie Mellon and Stanford universities in the US.

Working with virtualisation technology vendors VMware and XenSource, the researchers produced a study called Compatibility is not transparency: VMM detection myths and realities. In the study the researchers claimed that rootkits could not use hypervisor technology to remain undetected on a system.

"No matter how minimal the hostile VMM [virtual machine monitor] is, it must consume physical resources, perturb timings and take measures to protect itself from the guest, leaving it no less susceptible to detection than other VMMs," said the research paper.

Hostile hypervisors create anomalies in the infected system that enable detection, according to the researchers, who said that hypervisors can be detected through logical discrepancies between the interfaces of real and virtual hardware.

"Most current hypervisor detection methods exploit differences in the virtual CPU interface of VMMs that violate x86 architecture," said the study.

There are also differences between virtual and actual hardware configurations such as chipsets, according to the researchers. And resource discrepancies give the game away, as VMMs consume CPU cycles and physical memory, and have a cache footprint that can be detected.

Malware researcher Joanna Rutkowska claimed last year to have developed a hypervisor rootkit called "Blue Pill" that would remain undetected on a system. Her claims were disputed by researchers from Matasano Security, Root Labs and Symantec.

Tom Espiner of ZDNet UK reported from London.