Blue Pill Project extends VM rootkit cat-and-mouse tussle

LAS VEGAS - The intellectual cat-and-mouse tussle over hiding and finding virtual machine rootkits has hit a new gear with a team of researchers dismissing the notion of "100 percent undetectable" malware and the release of source code for a new "Blue Pill" rootkit.

As previously reported, Thomas Ptacek, co-founder of Matasano Security, Nate Lawson of Root Labs, Symantec’s Peter Ferrie and indie researcher Dino Dai Zovi gave a standing-room-only presentation with a compelling argument that virtualized rootkits are easier to detect than normal rootkits.

"Nothing in undetectable," Lawson said, repeating his earlier contention that there are numerous techniques that can be used to sniff out the presence of a virtualized rootkit.

[ SEE: Let users virtualize Vista because hypervisor rootkits are no threat ]

The research team plans to release a VM rootkit detection platform called Samara to help advance the research around this topic. "It's a constant cycle," Lawson said of the cat-and-mouse research. "They [the attackers] can find ways around our detector but we can also find new ways to find the rootkit. It repeats in a big cycle," he added.

Later in the day, stealth malware guru Joanna Rutkowska pushed the envelope even more (.ppt file), arguing that VM rootkit detectors can be cheated and insisting that there is a legitimate threat to general purpose operating systems.

"We believe it's not possible to implement effective kernel protection on general purpose operating systems based on a microkernel architecture," Rutkowska said, stressing that SVM detection should not be considered the same as Blue Pill detection. "Most of the SVM detection approaches can be defeated," she said.

Rutkowska also launched a Blue Pill Project with source code for a new, rewritten Blue Pill rootkit.