back to article Intel goes virtual to root out rootkits

Intel bought McAfee so it could bring antivirus and intrusion detection closer to the chip, and with DeepSafe – a technology that CEO Paul Otellini previewed at Intel Developer Forum in San Francisco this week – the company will be making good on that promise. DeepSafe will put some of the antivirus code underneath the …

COMMENTS

This topic is closed for new posts.
  1. Ken Hagan Gold badge

    Here we go again

    If virtualisation was the answer, malware would have been killed off when PC operating systems started using protected mode to confine apps within user space. Experimentally, this does not appear to have been the case.

    Expect a new generation of "virtual rootkit" to appear in a year or so's time.

    1. Paul 129
      Devil

      That will be fun

      A vector that (if they don't design it correctly) could allow the rootkit to be undetectable to all OS's installed later, on supposedly bare metal. Now who would benefit from that, crooks, spys, OS vendors with few scruples.

      Could we be on the brink of one of the most momentous shot self in foot moments, in IT history? Opps let me correct that, shoot end user.

      Ohhh now I get it.

    2. BrentRBrian

      ... Here we go again

      They don't get it ... unless they get "lower than the BIOS" and STAY THAT WAY they are just wasting time.

    3. Muhammad Imran/mi1400
      Flame

      no macho DeepSafe ... Its Two orphans to get rid of ... MeeGo and $7.7-bn McAfee

      This is no macho DeepSafe Mumbo Jumbo

      Its Two orphans to get rid of ... MeeGo and $7.7-bn McAfee

      When people were just not getting out of narrow thinking that McAfee was for intel cpus. I kept shouting that McAfee was for MeeGo cuz most viruses are x86 native, Android though x86 comaptible is running only on intel-TV x86 hardware. so MeeGo if ran on x86-Atom smartphones.. x86-viruses will bleed it like a slaughtered pig. Now intel has two products to get rid of ... MeeGo and $7.7-bn McAfee. This DeepSafe Mumbo Jumbo is to keep ppl's attention away... and btw how will this macho hardwired DeepSafe will keep pace to identify ever new arriving threats/definitions !?!

      Muhammad Imran/mi1400

  2. Anonymous Coward
    Anonymous Coward

    Embed DeepSafe within KVM ?

    1 - How in this world ?

    2 - What for ?

    Sorry for you, Intel guys, but there is a limit on what you can do with those damn herbs.

  3. Anonymous Coward
    Anonymous Coward

    Anti-competitive?

    > "DeepSafe will be the foundation of a number of different enterprise security products that the McAfee unit will roll out"

    I may be missing a point here, but at first glance does it seem that to get maximum benefit from the DeepSafe protection, a user would need to run the McAfee security / AV / whatever / software, thereby excluding other AV vendors?

    1. E 2

      Thus

      McAfee bloatware would infect my machine from the firmware up, not merely from Windows registry on up.

      I suppose I'll be learning all about EFI scripting and programming and runlevels.

      Not that I *want* to.

      I cannot understand why Intel would give a damn about this kind of security - Intel makes processors... other people (mebbe that Blue Pill lady) can come up with better virt sol'ns than spamming McAfee into the firmware.

  4. Anonymous Coward
    Anonymous Coward

    "1,200 new rootkits per day"

    WTF?

    1. Anonymous Coward
      Anonymous Coward

      I think that's rooted machines

      Not new rootkits.

      Although, technically a BIOS is a rootkit, isnt' it?

      1. E 2

        No

        BIOS is pretty hard to program . (U)EFI however is programmable in C using widely available docs and static link libraries. So Intel sees a way to save us from it's processors, which (U)EFI legs are spread wide, inviting penetration.

        I worked on DEC Alpha boxes once. They had a 'BIOS' with capabilities exceeding (U)EFI. But not just anyone could slip into the (U)EFI, it was held in some protection.

    2. Ralthor

      I thought the same. Perhaps they meant to say 1200 new rootkit infections per day.

  5. JeffyPooh
    Pint

    Oh great...

    ...now my next Intel CPU is going to start 'shaking me down' for $60 a year in 'protection money'.

  6. E 2

    50/50

    If I can go into the BIOS or (U)EFI and enable or disable this, than I guess I don't mind. But really... you know... whatever.

  7. davcefai

    Linux?

    How about non-Windows users? Will this adversely affect our systems (Speed, stability.....)

  8. Tom Chiverton 1
    FAIL

    Did you take the red or blue pill ?

    But how will this magic software know it's not already running atop a compromised machine, and is in fact on the bare metal as the first 'visor in the stack ? And why wont the same 'force self to the bottom' technique work for malware ?

    QubesOS has a much better approach...

  9. terovn
    Thumb Up

    This has potential

    Intel just want to sell more new chips.

    But this does give users a hope to better security, only if done right. If they manage to keep the hypervisor tiny it will be much more difficult to attack. Just as it would be more difficult to find vulnerability in a Hello World program comparing to Flash.

    Some related researches if you are interested.

    - http://www.eecs.umich.edu/virtual/papers/king06.pdf: first idea of crafting virtualized rootkit

    - http://en.wikipedia.org/wiki/Blue_Pill_(malware): implementation of the idea

    - http://sourceforge.net/projects/mavmm/: tiny VMM to remain hidden to malware running above

This topic is closed for new posts.

Other stories you might like