Tag Archive | Virtual machine

All about TPM Chip in Windows 8 – Microsoft is Many Years Late

What is the TPM Chip?

  • Microsoft released Windows 8, and with it came the Trusted Platform Module (TPM Chip) is a chip that allows a certain operating system to recognize a chip to verify the operating system and its modules. This provides even better security, so that Windows can only be installed on hardware that is verified through the TPM Chip.
  • Now, it is unclear whether or not it will be required for Windows 8, however, it is in testing mode at this point. In future versions of Windows, it will probably be required. Which also makes it difficult for those using Windows on a virtual machine, and will probably require people to acquire a specific compatibility license to run Windows on virtual machine, or dual boot with a Mac-based computer.
  • Confused yet? Apple was one of the first, if not the first, to introduce an OEM chip, which required people to have if they wanted to run Mac operating systems. Which meant, for example, Mac OS X couldn’t be installed onto a normal computer, it had to be on “Mac-branded hardware” as they state in their terms-of-use on Mac OS X.
  • What does this bring to the security of operating systems necessarily? It provides very low level security, and will be just another possibility to block bootkit attackers and other boot-based viruses/rootkits.
  • Some experts say that TPM will probably be included in new PCs, tablets, and other Windows-branded devices. There’s no current way to just “install it”, however, Windows 8 is engineered to be able to recognize the TPM Chip.
  • When did this idea come about? Probably the late-1990s was when this idea came about, because security experts were realizing the issue that software antivirus/firewall was not strong enough to block the threats. It would take more than just software-based protection programs.
  • What other implementations (other than Apple’s chip) are in place?The Google Chromebook is a good example of implementation, because when it boots, the TPM chip object in there checks the modules on the system. If one is bad, it automatically replaces it with its “last known good module” (in its comprised library of last known good modules), keeping itself protected.

 

For the future of TPM technology

  • It’s possible the makers of the TPM technology would be working with security/OS vendors to create antivirus that can be built over top of the TPM chip, which would scan the operating system and kernel before it starts up.
  • What’s different than boot-time scanners offered by companies like Avast, for example? Boot-time scanners offered by software companies still use Windows modules to help scan the whole computer. However, since the modules are part of the operating system, the boot-time scan cannot get to the OS kernel deep enough. Although, it can scan the system before it loads services/drivers, it cannot necessarily get a good look at all of the drivers/services or the MBR/BIOS for that matter.
  • By allowing antivirus to scan computer before operating system starts (at all), it will also keep on top of things so malware cannot hinder or suppress the scan.

 

This is just one of the many security features included in Windows 8. Take a look!

Running Virtual Analysis on Malware is Failing These Days

As organizations take part in the virtualization of malware testing, it is beginning to fail.The biggest issues in testing malware on virtual machines and other environments, is that viruses and other malware are equipped with a component that recognizes the presence of a virtual environment. They are coded to see what environment they are running in, to help mitigate being tested by analysts and researchers.

There are also ways for businesses to run virtual environments to test how a threat entered their networks, what vulnerabilities exist, etc.

Hackers and malicious code writers have many ways of evading antivirus products:

  • Encrypting the malware files (polymorphism) – example: the file download link stays the same on the website, but the server sends newly encrypted files each download instance.
  • Testing tons of files’ malware detection using a load of antivirus engines to find out which are undetected least or not at all.
  • Packing and encrypting the malware files so they have to be unpacked by the antivirus software before it can be checked.

And many more…

Anyway, what is the learning experience here? Well for one, it is a good idea to have proper protection for your entire server network in the business (see bottom of this post). Also, if a virtual environment will not successfully test the malware, you probably should test it on a live test box (a computer specified for testing that is not connected to the business network).

 

VMware Virtualization Flaws Patched – June 18

Last week, US-CERT found flaw in VMware: SYSRET 64-bit operating system privilege escalation vulnerability on Intel CPU hardware

To patch the vulnerabilities, VMware released the updates for several versions:

  • VMware Workstation 8.0.4 and later
  • Player 4.0.4 and later
  • Fusion 4.x (but not the Mac version)
  • All versions of ESXi and ESX

The main flaws were:

  • Input data not validated correctly with Checkpoint files. Which means a specifically crafted Checkpoint file can exploit the virtualization environment.
  • Traffic from remote virtual devices not being intercepted correctly. An attacker can manipulate the traffic, and crash the VM.

It is recommended to immediately patch your environment:  updates

Ring3 Attackers: 64-bit Privilege Escalation Vulnerability on Intel CPU Hardware

Overview

Some 64-bit operating systems and virtualization software running on Intel CPU hardware are vulnerable to a local privilege escalation attack. The vulnerability may be exploited for local privilege escalation or a guest-to-host virtual machine escape.

Description

A ring3 attacker may be able to specifically craft a stack frame to be executed by ring0 (kernel) after a general protection exception (#GP). The fault will be handled before the stack switch, which means the exception handler will be run at ring0 with an attacker’s chosen RSP causing a privilege escalation.

Find out more about this story at US-CERT: www.kb.cert.org/vuls/id/649219

 

You may want to consider purchasing Malwarebytes’ Anti-Malware to protect against these types of threats.

%d bloggers like this: