A quick update to the challenge handed down to hacker Joanna Rutkowska to prove that her Blue Pill technology creates "100% undetectable malware."
Rutkowska says she is "ready to accept" the challenge but wants her two-person team to be paid $384,000 ($200/hr
a day each for two people working full-time for six months), a demand that has dashed all hopes for a hacker face off at Black Hat this year.
Rutkowska's response, detailed in a blog entry, sets the following ground rules:
- The challengers cannot intentionally crash or halt the machine during detection scanning.
- The detection software cannot consume more than 90% of the CPU for more than a second.
- Instead of two laptops, she wants to use five laptops to avoid 50-50 guesswork.
- The source code to the rootkit and detector must be publicly released after the contest ends.
- Payment of $384,000 to turn the Blue Pill prototype into a commercial-grade rootkits.
The challengers say they are willing to agree to the first four demands from Rutkowska but the idea of paying $384,000 makes it a no-go.
Matasano's Thomas Ptacek, a member of the challenge team, provides this apt response:
Why would we pay you $384,000 to buy a rootkit we already know we can detect?
Nate Lawson of Root Labs, who insists that malicious hypervisors are easier to detect than normal rootkits, also dismisses the idea of paying a challenge fee:
She claims she has put four person-months work into the current Blue Pill and it would require twelve more person-months for her to be confident she could win the challenge. Additionally, she has all the experience of developing Blue Pill for the entire previous year.
We’ve put about one person-month into our detector software and have not been paid a cent to work on it. However, we’re confident even this minimal detector can succeed, hence the challenge. Our Blackhat talk will describe the fundamental principles that give the detector the advantage.
If Joanna’s time estimate is correct, it’s about 16 times harder to build a hypervisor rootkit than to detect it. I’d say that supports our findings.
Errata Security co-founder Robert Graham has an entirely different take on the public challenge, arguing that it's not a good-faith bet because Rutkowka has already conceded that Blue Pill can be detected in a laboratory setting.
What would a good-faith bet be? They should publish a hypervisor detection tool on their website, then challenge Joanna to create a hypervisor that evades it. They should challenge the rest of us to install it on our machines to prove that it is robust and doesn't cause problems (like slowing our machines down). Better yet, they should provide source for their tool with BSD licensing so that anti-virus vendors can include it with their offerings.