APT - detect malicious hypervisor – two software options
We (www.rubos.com) currently provide two version of freeware which is capable to detect Malicious Hypervisor (MH) APT. First version is for users who want us to help in a case if MH is detected. In such case we need the detection software report on our site. The URL is - www.rubos.com/files/HyperCatcher4-3.ico Then we can check the report and discuss user options. The second version addresses concerns of having complete anonymity and thus the software does not send any report to our site. You are on your own. The URL is – www.rubos.com/files/HyperCatcher4-4nr.iso
MH versions do exist in the wild. User cannot see it as it is silent (less than 1% of CPU utilization) and hidden below your hypervisor or OS. One can only see a bad designed instance or a version in development. One poor designed case was reported to us a few weeks ago. The user was fighting with the malware for more than one year and was not able to eliminate it. It seemed as a primitive design when MH resides as a rootkit inside the user OS and at the same time possibly trying to virtualize it or at least creating guests. One thing was clear that booting process was modified - our detection software was crashing while booting. It is known that poorly designed MH is not able to handle additional OS booting or virtualization i.e. nested hypervisors.
If you see that your system behavior weirdly changed and you cannot find any malware after a few days’ effort, try to run our MH detection software. We generally recommend to test all your organization’s servers (and HTTP system management interface in particular), and especially if you are in high risk list and likely having very valuable information. States hinting for information are well known.