Blue Pill hacker challenge update: It's a no-go

Blue Pill hacker challenge update: It's a no-go

Summary: Rutkowska says she is "ready to accept" the challenge but wants her two-person team to be paid $384,000 ($200 a day each for two people working full-time for six months), a demand that has dashed all hopes for a hacker face off at Black Hat this year.

TOPICS: Security

ItÂ’s a no-goA quick update to the challenge handed down to hacker Joanna Rutkowska to prove that her Blue Pill technology creates "100% undetectable malware."

Rutkowska says she is "ready to accept" the challenge but wants her two-person team to be paid $384,000 ($200/hr a day each for two people working full-time for six months), a demand that has dashed all hopes for a hacker face off at Black Hat this year.

Rutkowska's response, detailed in a blog entry, sets the following ground rules:

  • The challengers cannot intentionally crash or halt the machine during detection scanning.
  • The detection software cannot consume more than 90% of the CPU for more than a second.
  • Instead of two laptops, she wants to use five laptops to avoid 50-50 guesswork.
  • The source code to the rootkit and detector must be publicly released after the contest ends.
  • Payment of $384,000 to turn the Blue Pill prototype into a commercial-grade rootkits.

The challengers say they are willing to agree to the first four demands from Rutkowska but the idea of paying $384,000 makes it a no-go.

Matasano's Thomas Ptacek, a member of the challenge team, provides this apt response:

Why would we pay you $384,000 to buy a rootkit we already know we can detect?

Nate Lawson of Root Labs, who insists that malicious hypervisors are easier to detect than normal rootkits, also dismisses the idea of paying a challenge fee:

She claims she has put four person-months work into the current Blue Pill and it would require twelve more person-months for her to be confident she could win the challenge. Additionally, she has all the experience of developing Blue Pill for the entire previous year.

We’ve put about one person-month into our detector software and have not been paid a cent to work on it. However, we’re confident even this minimal detector can succeed, hence the challenge. Our Blackhat talk will describe the fundamental principles that give the detector the advantage.

If Joanna’s time estimate is correct, it’s about 16 times harder to build a hypervisor rootkit than to detect it. I’d say that supports our findings.

Errata Security co-founder Robert Graham has an entirely different take on the public challenge, arguing that it's not a good-faith bet because Rutkowka has already conceded that Blue Pill can be detected in a laboratory setting.

What would a good-faith bet be? They should publish a hypervisor detection tool on their website, then challenge Joanna to create a hypervisor that evades it. They should challenge the rest of us to install it on our machines to prove that it is robust and doesn't cause problems (like slowing our machines down). Better yet, they should provide source for their tool with BSD licensing so that anti-virus vendors can include it with their offerings.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • $200 an HOUR, not a day....

    Rutkowska says she is ?ready to accept? the challenge but wants her two-person team to be paid $384,000 ($200 a day each for two people working full-time for six months)

    Someone needs a new calculator :-0

    $200day x 2people x5days x26weeks = $52,000

    $200hour x 7.5hours x 2people x 5days x 26weeks = $390,000

    It is worth $200 a day, but not $200 an hour.
    • Typo, fixed

      Thanks for spotting that. Fixed.

      Ryan Naraine
  • Why not make it interesting...

    $384,000 if her rootkit is really undetectable after six months work. $0 if they detect it.
    • Or...

      They miss, they pay. If they detect it, she pays. Remember, "100 percent undetectable" are her words.

      Ryan Naraine
      • haha nice...

        yea she wont do that. But its a good idea!

        Kind of a "put your money where your mouth is" thing.
      • But remember, 100% undetectable

        She has a reason for putting up limits on the contest. Any good coder would know why. She doesn't want the detectors to show a difference between the actual clock speed of the system would be the reason to prevent the detector from pegging the CPU.

        The other stipulations are there for similar reasons. 100% undetectable would be true if not for those stipulations, but when she hinders your efforts of detection, she eliminates the 100% undetectability of the pill as null and void.
      • And She wants to be paid . . .

        to develop something we [b]don't[/b] want?
      • RE: Blue Pill hacker challenge update: It's a no-go

        I think Joanna is right and she would win. How to proove it? Let me see. OK. It is not a Blue Pill but the idea is the same. Lets check this out:
        1. Install e.g. Windows XP on some real machine.
        2. Install some rootkit on the same machine.
        3. Install VMware and create virtual machine.
        4. Inside virtual machine install new, clean Windows XP and as many rootkit detectors as you wish.
        5. Using these rootkit detectors try to detect the rootkit installed on host (real) machine.

        Do you really believe you will manage to do that. I do not think so.

        Good Luck! :)
  • 50 cents would cover the payment.

    Thats about all a 45 round costs.
    • LMAO!!!!

      Hallowed are the Ori
  • No such thing as undetectable.

    Or indestructible, bulletproof, leakproof and complete interchangeability. By demanding a high fee for the test prevents her from eating her own dog food. This was a publicity stunt to get some ad time out there free of cost thru the press for her startup. There were no blue pills or red pills. Just a lot of green pills.
  • Shame...

    I was looking forward to the contest.

    Can't imagine anyone wanting to pay that amount of money to watch her lose...
  • Maybe she should

    just stay off all colors of pills. She's already proven she totally gutless.