Rootkit Hunter

[Gabriel Dragffy]

On Sun, 2006-12-24 at 02:10 +1100, Serg B. wrote

> 
> Sounds like Jame Bond stuff to me. Do you have a link to an article
> that talks about the above proof of concept code? Since you know...
> 
Sound James Bond to me too!!
> I heard that VMWare released or is about to release a tool that can
> image the currently running OS into a VMWare machine. 
> 
> I agree that detecting a virus that wraps an OS into a VM image and
> runs beneath it would be (maybe almost) impossible. 
> 
> However you would definitely know about it. Nothing stealthy there
> unless you run one powerful mother of a machine! And even then you
> would see that things are not quite as fast. You would notice a
> performance decrease since you would be now running 2 OS's. One for
> the virus and one for the guest. Reduced disk size - a noticeable
> chunk sine there is another OS installed.  On reboot a boot-up screen
> would show messages inconsistent to the guest OS, etc. Like I said
> nothing stealthy, in MY opinion. 
> 
> So yeah I doubt that this proof of concept is anything more then a
> marketing speak for VM tools and somebody trying to get security paper
> out for self promotion. 
> 
> Uh why not, it is the flavor f the month after all. 

I think perhaps that when we're talking about this kind of virus it
isn't limited to just VMware. Imagine a virtual server service that has
a single computer hosting 50 operating systems using Xen technology. Now
think about the trouble that a virus could cause all that. Horrible. If
a virus managed to escape the guest OS...