search for: theinvisiblethings

----- Mensagem encaminhada ---- De: Ricardo A. Reis <ricardo_bsd@yahoo.com.br> Para: security@freebsd.org Enviadas: Sexta-feira, 3 de Novembro de 2006 10:54:14 Assunto: FreeBSD and the new virtual machine-based rootkits Hi All, Recently i participated in Brazil on October 2006 The FIRST/TRANSITS and II Latin American Incident Response Conference (COLARIS). In the II COLARIS - Joanna

...he has discussed various solutions for this problem, and why she > believes they may or may not work. The one most people suggest is to > time how long it takes for various instructions to run, but this > can be > tricked by the VMM-rootkit. I'd suggest reading: > > http://theinvisiblethings.blogspot.com/2006/08/blue-pill- > detection.html One thing that leaps immediately to mind is a startup check to see if this 'dmesg.boot' differs from the previous one. Rather than overwriting the previous one, move it to a backup, create the new one, and log something if they di...