GhostX9 writes "Tom's housewares has a long call with certainty expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been guesswork exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this consultation she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's incidental is how robust the classic BluePill proof-of-concept is: 'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill. This assumption was made because there were no manufactures using ironware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'" Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased shelter over the quite-reasonable-setup I already deployed with the help of virtualization." She runs three dispart virtual machines, heading Red, Yellow, and Green, each running a divorce browser and used for increasingly passible tasks.

Read more of this story at Slashdot.

More: - Brought to my attention by

Mark