

Forged memory fools antimalware: A new development in rootkits - misham
http://www.techrepublic.com/blog/security/forged-memory-fools-antimalware-a-new-development-in-rootkits/5443

======
tptacek
This does not look like a new development in rootkits. If I understand the
article's summary: there's a rootkit that sets a hardware breakpoint on the
memory it overwrote in the kernel, and checks to see if access are normal or
abnormal; for abnormal access, it subs in fake value for the contents of that
range of memory.

If you want to see where the state of the art in rootkits was in 2007(!),
read:

[http://i.i.com.com/cnwk.1d/i/z/200701/bh-dc-07-Rutkowska-
ppt...](http://i.i.com.com/cnwk.1d/i/z/200701/bh-dc-07-Rutkowska-ppt.pdf)

...noting that this is Joanna Rutkowska explaining how to reprogram MMUs (here
with MMIO remapping) to defeat _hardware DMA memory forensics_.

~~~
pixdamix
Due to the lovely fact, if I recall corectly, that there's two TLB[1], one for
instructions and one for data. So you can subvert one or another in order to
execute a hidden payload.

If you read the data you think you'll execute, you will be fooled. [2] This is
a pretty nice trick.

[1]:
[http://en.wikipedia.org/wiki/Translation_lookaside_buffer#Ov...](http://en.wikipedia.org/wiki/Translation_lookaside_buffer#Overview)

[2]:
[http://uninformed.org/index.cgi?v=6&a=1&p=21](http://uninformed.org/index.cgi?v=6&a=1&p=21)

------
jevinskie
Once your trusted space is compromised (the kernel space in this case), trying
to detect or fix the compromise from that same space turns into a game of Core
War: <http://en.wikipedia.org/wiki/Core_War>

Scanning for rootkits from a hypervisor would solve this problem... as long as
your hypervisor isn't compromised itself!

~~~
tptacek
This is indeed the direction the industry seems to be heading: extremely
lightweight sidecar security hypervisors.

