Blue Pill Project extends VM rootkit cat-and-mouse tussle

Summary:The intellectual cat-and-mouse tussle over hiding and finding virtual machine rootkits has hit a new gear with a team of researchers dismissing the notion of "100 percent undetectable" malware and the release of source code for a new "Blue Pill" rootkit.

LAS VEGAS - The intellectual cat-and-mouse tussle over hiding and finding virtual machine rootkits has hit a new gear with a team of researchers dismissing the notion of "100 percent undetectable" malware and the release of source code for a new "Blue Pill" rootkit.

As previously reported, Thomas Ptacek, co-founder of Matasano Security, Nate Lawson of Root Labs, Symantec’s Peter Ferrie and indie researcher Dino Dai Zovi gave a standing-room-only presentation with a compelling argument that virtualized rootkits are easier to detect than normal rootkits.

"Nothing in undetectable," Lawson said, repeating his earlier contention that there are numerous techniques that can be used to sniff out the presence of a virtualized rootkit.

[ SEE: Let users virtualize Vista because hypervisor rootkits are no threat ]

The research team plans to release a VM rootkit detection platform called Samara to help advance the research around this topic. "It's a constant cycle," Lawson said of the cat-and-mouse research. "They [the attackers] can find ways around our detector but we can also find new ways to find the rootkit. It repeats in a big cycle," he added.

Later in the day, stealth malware guru Joanna Rutkowska pushed the envelope even more (.ppt file), arguing that VM rootkit detectors can be cheated and insisting that there is a legitimate threat to general purpose operating systems.

"We believe it's not possible to implement effective kernel protection on general purpose operating systems based on a microkernel architecture," Rutkowska said, stressing that SVM detection should not be considered the same as Blue Pill detection. "Most of the SVM detection approaches can be defeated," she said.

Rutkowska also launched a Blue Pill Project with source code for a new, rewritten Blue Pill rootkit.

Topics: Malware, Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.