Please support our Software Development advertiser:
Featured Entry 
Jul 3rd, 2006, 11:54 am
The world of malware could be turned upon its head if the Blue Pill virtualization based rootkit due to be demonstrated at the SyScan 06 Conference, Singapore, in a couple of weeks proves as undetectable as the security researcher who has created it claims.
Joanna Rutkowska is a stealth malware researcher with a Singapore based IT security business, and specializes in rootkit technology. Using AMD's SVM/Pacifica virtualization technology, she has created a working prototype that not only takes complete control of the underlying operating system but also remains 100% undetectable while doing so. The demonstration will be on the Vista x64 platform, sure to cause embarrassment to Microsoft when it is repeated at the Las Vegas Black Hat Briefings on August 3rd: the same day that Microsoft is scheduled to brief the world about core Vista security functionality.
Do not think it is just another Windows problem either, Rutkowska claims that while the prototype has been written to run under Vista x64 there is no reason why she should not be able to port it to any x64 platform such as BSD or Linux.
Now you may be forgiven for thinking that this is nothing new, after all did not Microsoft Research itself (in conjunction with the University of Michigan) already make a big fuss about the VM-based SubVirt rootkit? Forgiven but incorrect, sorry. Blue Pill is something very different, in that while SubVirt is ‘nearly impossible’ to detect, Rutkowska claims her creation is absolutely, no questions asked, completely impossible to detect. Unless, of course, Pacifica itself is buggy which might enable some kind of generic detection routine to be written. Like its namesake in the movie, Blue Pill is ‘swallowed’ on the fly by your OS and awakes within the ‘Matrix’ under the direct control of the ultra thin hypervisor Rutkowska has developed. Unlike SubVirt it is also restart surviving, so permanent, and every IT security consultant’s worse nightmare.
Just to confirm that statement, in her Blue Pill blog posting Rutkowska concludes “Also, I will present a generic method (i.e. not relaying on any implementation bug) of how to insert arbitrary code into the Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. Of course, the presented attack does not require system reboot.”
Joanna Rutkowska is a stealth malware researcher with a Singapore based IT security business, and specializes in rootkit technology. Using AMD's SVM/Pacifica virtualization technology, she has created a working prototype that not only takes complete control of the underlying operating system but also remains 100% undetectable while doing so. The demonstration will be on the Vista x64 platform, sure to cause embarrassment to Microsoft when it is repeated at the Las Vegas Black Hat Briefings on August 3rd: the same day that Microsoft is scheduled to brief the world about core Vista security functionality.
Do not think it is just another Windows problem either, Rutkowska claims that while the prototype has been written to run under Vista x64 there is no reason why she should not be able to port it to any x64 platform such as BSD or Linux.
Now you may be forgiven for thinking that this is nothing new, after all did not Microsoft Research itself (in conjunction with the University of Michigan) already make a big fuss about the VM-based SubVirt rootkit? Forgiven but incorrect, sorry. Blue Pill is something very different, in that while SubVirt is ‘nearly impossible’ to detect, Rutkowska claims her creation is absolutely, no questions asked, completely impossible to detect. Unless, of course, Pacifica itself is buggy which might enable some kind of generic detection routine to be written. Like its namesake in the movie, Blue Pill is ‘swallowed’ on the fly by your OS and awakes within the ‘Matrix’ under the direct control of the ultra thin hypervisor Rutkowska has developed. Unlike SubVirt it is also restart surviving, so permanent, and every IT security consultant’s worse nightmare.
Just to confirm that statement, in her Blue Pill blog posting Rutkowska concludes “Also, I will present a generic method (i.e. not relaying on any implementation bug) of how to insert arbitrary code into the Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. Of course, the presented attack does not require system reboot.”
This blog entry was written by Davey Winder, staff writer aka happygeek. It has received 1,709 views, 0 comments, and 1 linkback. 1 voter has rated this entry 5 out of 5 stars. It was promoted to featured status Jul 3rd, 2006.
•
•
•
•
advertising apple blog browser business daniweb dell development economy email facebook firefox gaming google government hacking hardware ibm intel internet iphone ipod linux mac malware marketing microsoft mobile mozilla mp3 music news open source privacy search security server software sony spam stocks technology ubuntu video vista web windows yahoo youtube
All Recent Tags Post Comment
•
•
•
•
Only community members can start a blog or comment on blog entries. You must register or log in to contribute.
•
•
•
•
•
•
•
•
DaniWeb Software Development Marketplace
Related Blog Entries
- UK ISPs agree to throttle illegal music file-sharers (3 Hours Ago)
- WikiGoogle or GooglePedia? Nope, it is Knol actually. (16 Hours Ago)
- SF Password Hijack Highlights Importance of Process in City, State IT (1 Day Ago)
- Botnets boost click-fraud rate (1 Day Ago)
- Apple ships 2.5 million Macs, sells 11 million iPods and 717,000 iPhones in just 3 months (2 Days Ago)
- Limbo 2 Trojan comes complete with guarantee of invisibility (3 Days Ago)
- Fake UPS invoices deliver Pushdo botnet package (4 Days Ago)
- Security Holes Spring Up in Java Framework (8 Days Ago)
- iPhone 3G: It Was All Yellow (9 Days Ago)
- Consumer electronics revenue to hit $700 billion by 2009 (13 Days Ago)
Related Forum Threads
- Help. Emu8086 (Assembly)
- Hijackthis log RE: Potentially rootkit-masked files (Viruses, Spyware and other Nasties)
- Hijackthis log RE: Trojan.Abwiz.F virus (Viruses, Spyware and other Nasties)
- Blue screen prob, please help (Windows NT / 2000 / XP / 2003)
- Hacktool.Rootkit Problems (Viruses, Spyware and other Nasties)
- Hacktool.Rootkit HELP!!!! (Viruses, Spyware and other Nasties)
- Regular Expressions (C#)
- Another HijackThis Log for hacktool.rootkit virus (Viruses, Spyware and other Nasties)
