Rutkowska faces '100% undetectable malware' challenge

Rutkowska faces '100% undetectable malware' challenge

Summary: At last year's Black Hat security conference, stealth malware researcher Joanna Rutkowska caused a stir with the introduction of Blue Pill, a new technology she claims can create malware that remains "100 percent undetectable."This year, a group of her peers will challenge Rutkowska to prove it, arguing that a 100% undetectable rootkit is absolutely impossible.

SHARE:

At last year's Black Hat security conference, stealth malware researcher Joanna Rutkowska caused a stir with the introduction of Blue Pill, a new technology she claims can create malware that remains "100 percent undetectable."

Rutkowska faces ‘100% undetectable malware’ challengeThis year, a group of her peers will challenge Rutkowska to prove it, arguing that a 100% undetectable rootkit is absolutely impossible.

The challenge is being laid out by Thomas Ptacek (left), co-founder of Matasano Security, Nate Lawson of Root Labs and Symantec's Peter Ferrie -- three high-profile researchers out to prove that virtual machine rootkits (malicious hypervisors) are actually easier to detect than normal rootkits.

The challenge will closely resemble the CanSecWest MacBook takeover contest won by Dino Dai Zovi -- two untouched laptops of the make/model of Rutkowska's choosing will be provided for her to plant Blue Pill on one.

"She picks one in secret, installs her kit, sets them up however she wants," Lawson explained in anRutkowska faces '100% undetectable malware' challenge interview. "We get to install our software on both and run it, [and] we point out which machine [Blue Pill] is on. If we're wrong, she keeps the laptop."

Lawson said there are no fine-print or caveats. "Our goal is to make the ground rules as simple as possible and in Rutkowska's (right) favor as much as possible, given that we think a 100% undetectable rootkit is impossible," he declared.

"If she has any particular requests, we'll almost certainly grant them," he added.

Lawson, who previously worked at Cryptography Research where he co-designed the Blu-ray content protection layer (BD+) , is adamant that hypervisor rootkits like Blue Pill and Dai Zovi's Vitriol can only infect a machine in two ways.

[ SEE: Rutkowska launches Invisible Things Labs ]

The first path is for the attacker to try to leave as much as possible unmodified, which is a non-starter. "For example, not virtualizing the CPU clock cycle counter (TSC) means the detector can see the stolen cycles that the rootkit uses," Lawson argues.

The second path, which is used by Rutkowka, is to try to hook everything and emulate it perfectly. This, the three researchers will argue at Black Hat, is simply not feasible.

Lawson's argument:

To perfectly emulate the unmodified system, the rootkit must emulate by not only "fixing up" values like the TSC, but it must fully support all functionality of the unmodified system, including all bugs and performance.

For example, if the system supports VT virtualization, the rootkit must implement this also. That means the OS needs to be able to launch its own hypervisor even though the rootkit is already running as a hypervisor.

Even if all that is accomplished perfectly, Lawson says the rootkit author faces the impossible task of needing to emulate all bugs and quirks of the original system.

[ SEE: Hardware-based rootkit detection proven unreliable ]

"The crux of the matter is that a perfect emulator of any sufficiently complex system would have to be a bug-free program, and we don't know how to write those yet," he argued. "The important thing to consider when writing a rootkit is what layer to implement it at. Joanna chose "entire x86 PC", which we argue is too big a cross-section."

Matasano's Ptacek, who has spent a lot of time studying Rutkowska's work, said the challenge team will compare the behavior of the system to known norms to find the presence of Blue Pill.

Earlier this year, Rutkowska presented new research at Black Hat DC to show how physical memory acquisition can be cheated to avoid rootkit detection. She demonstrated three different attacks against AMD64 based systems, showing how the image of volatile memory (RAM) can be made different from the real contents of the physical memory as seen by the CPU.

This is believed to be an advancement of the Blue Pill concept but Lawson thinks this simply increases the rootkit's surface area and makes it easier to detect.

"I think the best rootkit is the simplest," Lawson added.

I e-mailed Rutkowska for a comment and will update this entry as necessary. Rutkowska has responded with a list of ground rules, including a financial demand that has scuttled any plans for a Black Hat face off.

Topics: Malware, Security, Virtualization

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

17 comments
Log in or register to join the discussion
  • Oh what would I do...

    She is given a choice between two identical laptops. After reading some of her research, the best way to tell would be to check the latency of the laptops and see which one lags more.

    I think that if anyone could pull it off, Joanna could. Her research is pretty sound. Plus she has the whole cute nerd girl thing going on. Hope she wins.
    nucrash
    • Got that right!

      ]:) the cute nerd girl thing!
      Linux User 147560
    • Her research is very sound, but she is overstating it

      Her research is very sound, but she is overstating it. No one should ever make the claim of "undetectable" because clearly it can be detected.
      georgeou
      • True, this would depend on the POV

        From the OS perspective, the blue pill might be extremely difficult to detect, but if you thought outside the box, or from the another computer on the network, a port sniffer should pick up the traffic headed out from the computer to where ever she should be remoting in to control the system. Unless she has some way to embed the packets so that they have a seemingly harmless outbound path. I am not even for sure where to begin on such a feat. So, undetectable might require some re-wording.

        Wow, my head is hurting from trying to even think about how this exploit would be usable without being detected.

        She could put the pill into place without it being detected, but any traffic to and from the computer surely would be picked up. Also, if she opened a port to her hypervisor, would this not be detected by something else on the network scanning for open ports?
        nucrash
    • RE: Rutkowska faces '100?0undetectable malware' challenge

      very nice. post more! <a href="http://www.discountuggs.biz">discount uggs</a>
      tank33
    • RE: Rutkowska faces '100?0undetectable malware' challenge

      Agree with you!thanks a lot <a href="http://www.watch-replica.org.uk">replica watches</a>
      tank33
    • RE: Rutkowska faces '100?0undetectable malware' challenge

      A+ post

      such a wonderful man <a href="http://www.bootoutlet.us">ugg boots outlet</a>
      tank33
    • RE: Rutkowska faces '100?0undetectable malware' challenge

      <a href="http://www.replicacool.org">mini prada</a>
      xiaodou
    • RE: Rutkowska faces '100?0undetectable malware' challenge

      <a href="http://www.replicawatchesbest.org">cartier replica watches</a>
      xiaodou
  • I juste hope she wins... (N/T)

    /
    elinorH
  • still a 50-50 shot....

    1) Turn off VT support in BIOS and protect with PW
    2) Encrypt the HD
    3) Set-up account without Admin privs

    Now get Blue pill on one of 5 boxes.

    Then run Blue pill detection.

    Reducing random luck to less than 50-50 shot makes this a tad more interesting.
    p_user_001
    • They need their own Red Pill

      Joanna was working on a Red Pill to exploit the Blue Pill.

      The reason for the colouration is the relationship to the Matrix. Blue pill is the wool pulled over the user's eyes to make them believe that everything is OK, while the Red Pill exposes the user to what really is going on in the world. If they are going to pull this off, they need to be able to underscore the virtualzation technology that she intends to use to create the Windows Vista VM. Hijack the Hijacker so to speak.

      I can't remember exactly how the blue pill worked, but something of a buffer overflow.
      nucrash
  • Message has been deleted.

    Protector
  • Geek Magnet

    Attractive technical chicks can have their pick of nerds and geeks: male, female or both, however she is so inclined. So, I doubt she'd be flattered to know that you'd "DO HER". But, then again, I don't know what YOU look like...Care to post a photo? ;-) While I may have my doubts about undetectable root kits ("unremoveable"==yes, undetectable==show me), I am hopeful that her success will result in 100 TalkBack entries before some horney geekboy reduces her to a Nexus pleasure model.
    stacylaray
    • Admire her, yes! Girl of my fantasy, No!

      Though she is attractive, she is missing some of the main traits that most geeks shoot for. Asian and Artistic are the two that come to mind the most. While some geek boys may fantisize about some girl who can pwn their PC, or pwn them at Quake 4, I personally have grown past that. While I enjoy doing things with a significant other, I play games to escape reality. Why would I want to drag a girl into that reality with me. While one girl remains so attractive in a testosterone driven, yet physically challenged industry. She cares about her self as well as her work, which is appealing. I would think of her more as the sister I never had rather than a conquest. In otherwords, I would rather knock out the guy who attacks her methods before tested rather than drool over her.

      I say more power to her.
      nucrash
      • TMI

        Please keep your Joanna fantasies to yourself. I'll bet your wankie is 100%
        undetectable.
        oofus
  • ENOUGH OF THIS ALREADY!!!^G^G^G

    Okay, every self-proclaimed security douchebag expert has weighed in on this
    issue. It's time for me to dump my load.

    This argument is nothing more than an egotistical pissing contest. Why do you
    need a big challenge for such a common sense issue? The hypervisor rootkit
    needs to understand how it's being detected in order to completely avoid
    detection. Any detection routines examining code in the same security context of
    the rootkit needs to understand the evasion techniques employed in order to
    effectively detect the kit.

    Shame on Joanna for not understanding basic security principles. ...and why the
    hell do you need $400k+ to do an implementation rather than provide a rational
    conceptual explanation?

    Shame on all these Matasano/Symantec/Root Labs retards for even wasting their
    time "challenging" Joanna.

    Shame on me for being so damn shameful.
    oofus