I had a chance to sit down with Polish security researcher Joanna Rutkowska of Singapore-based COSEINC after Black Hat 2006 last week and we discussed her research of a whole new class of rootkit technology along with her research on bypassing Vista x64's security. Joanna Rutkowska has come up with a whole new class of rootkits that's nothing like we've ever seen which requires a whole new way of detecting rootkits.
Blue Pill is the name that Rutkowska gave for this new breed of rootkits that take advantage of AMD's Pacifica virtualization technology called SVM (Secure Virtual Machine) though future versions will be ported to Intel VT-x virtualization technology [UPDATE: Dino Dai Zovi actually independently created a Hypervisor VT-x based rootkit]. The "blue pill" references one of the pills offered to our hero Neo in the movie "The Matrix". The blue pill washes away all desire to know the truth and would have allowed Neo to go on with his life as Mr. Anderson the respectable programmer living inside the virtual world of the Matrix being exploited by the Machines. The "red pill" was the antidote to wake someone up from the Matrix to escape slavery. Blue Pill the rootkit actually more potent than the blue pill in the movie because the rootkit doesn't just keep you locked in the Matrix; it actually reaches out and hijacks you from the physical world into the virtual world.
While this isn't the first time someone has come up with the Hypervisor-rootkit concept (Microsoft Research SubVirt was the first), Blue Pill truly appears to be the first effective Hypervisor-rootkit by a long shot. Unlike SubVirt which relied on commercial virtualization technology like VMware or Virtual PC, Blue Pill uses hardware virtualization and allows the OS to continue talking directly to the hardware. Commercial virtualization software has to emulate full I/O functionality from storage to networking to video and it would be exceedingly simple to detect driver changes. Furthermore, it would take a fairly complex physical to virtual migration to get SubVirt installed on the system.
Blue Pill on the other hand can do an on-the-fly install and simply shift your Operating System from direct control of the physical computer to a virtualized state living under the control of Blue Pill. Blue Pill then acts as an ultra-thin Hypervisor that lies dormant most of the time using virtually zero overhead (on most tasks) and waits for "interesting" events such as keyboard input. Once keyboard input is tapped, any password entered in to the computer can be key logged with ease. Blue Pill can also have interaction with the network interface though it doesn't attempt to virtualize the entire interface like VMware or Virtual PC. The video and storage subsystem is untouched and can directly talk to the hardware which allows for zero degradation in Video and Storage performance. Because Blue Pill makes no modifications to the BIOS or Hard Drive and resides outside of the Virtual Machine where the hijacked OS lives, it's virtually impossible to detect with conventional software method running on the victim PC. In part 2 of this blog, I'll go more in-depth in to possible Blue Pill detection methods.
While there is an upside in stealth by avoiding a hard drive install, the downside of course is that Blue Pill is not persistent to a reboot. But Servers really don't reboot all that much and even when they do reboot, the damage has already been done and the password has probably already been logged from the keyboard entry. Once the password is known, the hacker can probably get back in to the network and simply reinstall Blue Pill on the fly. Furthermore, Rutkowska is also working on emulated shutdown and reboots. If she is successful, it will leave you wondering if you really did reboot or if it was a Blue Pill emulated restart. For those of us that are paranoid, you might want to start thinking about yanking the power cord during reboots.