[bonarez]

Microsoft Research and a team from the Univestity of Michigan have developed a Subvirt, a Virtual Machine Based Rootkit that is installed underneath the installed operating system. A computer would boot the rootkit, whitch in it's turn would load the existing operating system in a virtual machine. While the user unknowingly works in that virtual environment, a second, hidden virtual machine would perform all kind of devious tasks.
A rootkit like this would be independant of the operating system, meaning it could work on windows and linux etc..

More Info
source: C'T Magazine

[Tyler]

holy crap! thats crazy, I thought it was going to be done sooner or later, but thats crazy. Why microsoft research would do that, i don't really know but i know that if the source gets to the public , shit could hit the fan. But..... if they dont release the source i doubt u would see to many of those rootkits around just because of the time it would take to code presuming its being coded with a virtual machine made from scratch and not taken from premade virtual machine source code (which is what microsoft and the univeresity of Michigan would have devoloped)

[w00zy]

I've read about this, too. But I don't think this rootkits will be used in near future, because they are more than 200mb big, and with ADSL it takes a time to tranfer it (maybe you could use these for webservers...)!

[buzzons]

I would assume MS did the research so that it can combat them if they did surface.

[sarkar112]

w00zy, on Apr 20 2006, 05:38 AM, said:

I've read about this, too. But I don't think this rootkits will be used in near future, because they are more than 200mb big, and with ADSL it takes a time to tranfer it (maybe you could use these for webservers...)!

Not all of them are 200 MB big, a few are smaller, and they can be compressed.

FLX, on Apr 20 2006, 09:49 AM, said:

dont worry, microsoft never releases sourcecode :P

They released the source for MASM, I doubt they will release it for a rootkit that can be used against them. Yet, a few people who have intermidette expirience in driver development can easily write something similer to this, and probably will release the source in the future.

[TheSmokingMan]

this is OLD news. and microsoft is only one of many academic sponsors of this project.

[Trinitron]

I think they are doing their research this way: the research team dedicates themselves to figuring out ways to trash Windows' security, and they report the results to the main coding team. Isn't it kinda obvious?

[Tyler]

well i did some searching, there are some kits out there at 20 megs, so if you got a 100mbit connection then your golden at uploading it pretty fast but other then that yeah, still pretty slow for a adsl or cable user. Hmm.. and yeah, kinda figured ms woudlnt release thier code, but if its that big i bet it will get leaked sooner or later.

[bonarez]

Quote

this is OLD news

was new to me..

It surely won't be very easy to install such a rootkit. It's not easy to hide 200 megs.. sure there are smaller kits out there, but that has it's disadvantages.. the smaller the kit, the less support for hardware.. I don't have much experience with virtual machines, I prefer running everything on separate pc's. But I can imagine harware support to be at least less then what you would expect from a 'real' os.

still the principle is interesting..

[ConiX]

Well if the rootkit is 200 mb big, then I suppose that Microsoft will find a way to compress it. And about the source, don't expect microsoft to release it ever.

[satknis]

the rootkit is 200mb big because it includes msn messenger and mediaplayer 12 and ofcourse IE 10 :P
this news are old, but not old enough that any should forget it.
if we compare vmware's size and the size of the rootkit, we could
be sure that the rootkits size could also be 15mb and 15mb with adsl
takes some minutes.

[sarkar112]

satknis, on Apr 20 2006, 04:28 PM, said:

the rootkit is 200mb big because it includes msn messenger and mediaplayer 12 and ofcourse IE 10 :P
this news are old, but not old enough that any should forget it.
if we compare vmware's size and the size of the rootkit, we could
be sure that the rootkits size could also be 15mb and 15mb with adsl
takes some minutes.

But if you compare it to VMWare (Player/Server) and an average existing virtual machine it'll probably be about 200 mb, but you can compress it.