A malicious hypervisoralso known as rootkit virtual machine (VMBR for virtual-machine based rootkit ) or hypervisor rootkitis a type of malicious software which attacks the virtualisation layer of a computer system.
π© What is a hypervisor?
A hypervisor is software that allows several operating systems (virtual machines or VMs) to run simultaneously on a single physical computer.
It manages and allocates hardware resources (processor, memory, storage) between these virtual machines.
π‘ What is a malicious hypervisor?
A malicious hypervisor inserts itself under the host operating system or even under the legitimate hypervisor, making it extremely difficult to detect.
It takes control of the virtualization layer, which enables it to :
- Spy on and manipulate all the activities of virtual machines.
- Stealing sensitive information.
- Modify or destroy data.
- Launch attacks against other systems.
- remain undetectable by conventional antivirus software.
π₯Characteristics and dangers
- Discretion : Malicious hypervisors are designed to be stealthy and difficult to detect, because they operate at a lower level than operating systems.
- Total control : they can take total control of the computer, allowing them to manipulate every aspect of the system.
- Persistence : They may persist even after the computer has been restarted or the operating system reinstalled.
- Targeted attacks : They are often used in targeted attacks against high-value organisations or individuals.
