Blue Pill Project extends VM rootkit cat-and-mouse tussle

Blue Pill Project extends VM rootkit cat-and-mouse tussle

Summary: The intellectual cat-and-mouse tussle over hiding and finding virtual machine rootkits has hit a new gear with a team of researchers dismissing the notion of "100 percent undetectable" malware and the release of source code for a new "Blue Pill" rootkit.

SHARE:
TOPICS: Malware, Security
2

LAS VEGAS - The intellectual cat-and-mouse tussle over hiding and finding virtual machine rootkits has hit a new gear with a team of researchers dismissing the notion of "100 percent undetectable" malware and the release of source code for a new "Blue Pill" rootkit.

As previously reported, Thomas Ptacek, co-founder of Matasano Security, Nate Lawson of Root Labs, Symantec’s Peter Ferrie and indie researcher Dino Dai Zovi gave a standing-room-only presentation with a compelling argument that virtualized rootkits are easier to detect than normal rootkits.

"Nothing in undetectable," Lawson said, repeating his earlier contention that there are numerous techniques that can be used to sniff out the presence of a virtualized rootkit.

[ SEE: Let users virtualize Vista because hypervisor rootkits are no threat ]

The research team plans to release a VM rootkit detection platform called Samara to help advance the research around this topic. "It's a constant cycle," Lawson said of the cat-and-mouse research. "They [the attackers] can find ways around our detector but we can also find new ways to find the rootkit. It repeats in a big cycle," he added.

Later in the day, stealth malware guru Joanna Rutkowska pushed the envelope even more (.ppt file), arguing that VM rootkit detectors can be cheated and insisting that there is a legitimate threat to general purpose operating systems.

"We believe it's not possible to implement effective kernel protection on general purpose operating systems based on a microkernel architecture," Rutkowska said, stressing that SVM detection should not be considered the same as Blue Pill detection. "Most of the SVM detection approaches can be defeated," she said.

Rutkowska also launched a Blue Pill Project with source code for a new, rewritten Blue Pill rootkit.

Topics: Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • MS ?

    "systems based on a microkernel architecture"

    please explain how the pill works.
    not of this world
  • Root Kits and virues.

    The accountability issue is not about why a person wastes their time building a bad reputation to get attention, as the peer support saying "that's great!" isn't there if the root kit harms their peers.

    The same is said about vandals who put their tags on public property that they claim with their signatures. The Mona Lisa with a tag in the middle of her blouse would be a serious loss for all art enthusiasts, so should it also be considered for computer programmers who get their work erased by a failed root-kit install that means a new video game won't be released this fall... ...it's about making things better for people in general that should be celebrated.

    Peace.
    vancegilbert