The world of malware could be turned upon its head if the Blue Pill virtualization based rootkit due to be demonstrated at the SyScan 06 Conference, Singapore, in a couple of weeks proves as undetectable as the security researcher who has created it claims.
Joanna Rutkowska is a stealth malware researcher with a Singapore based IT security business, and specializes in rootkit technology. Using AMD's SVM/Pacifica virtualization technology, she has created a working prototype that not only takes complete control of the underlying operating system but also remains 100% undetectable while doing so. The demonstration will be on the Vista x64 platform, sure to cause embarrassment to Microsoft when it is repeated at the Las Vegas Black Hat Briefings on August 3rd: the same day that Microsoft is scheduled to brief the world about core Vista security functionality.
Do not think it is just another Windows problem either, Rutkowska claims that while the prototype has been written to run under Vista x64 there is no reason why she should not be able to port it to any x64 platform such as BSD or Linux.
Now you may be forgiven for thinking that this is nothing new, after all did not Microsoft Research itself (in conjunction with the University of Michigan) already make a big fuss about the VM-based SubVirt rootkit? Forgiven but incorrect, sorry. Blue Pill is something very different, in that while SubVirt is ‘nearly impossible’ to detect, Rutkowska claims her creation is absolutely, no questions asked, completely impossible to detect. Unless, of course, Pacifica itself is buggy which might enable some kind of generic detection routine to be written. Like its namesake in the movie, Blue Pill is ‘swallowed’ on the fly by your OS and awakes within the ‘Matrix’ under the direct control of the ultra thin hypervisor Rutkowska has developed. Unlike SubVirt it is also restart surviving, so permanent, and every IT security consultant’s worse nightmare.
Just to confirm that statement, in her Blue Pill blog posting Rutkowska concludes “Also, I will present a generic method (i.e. not relaying on any implementation bug) of how to insert arbitrary code into the Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. Of course, the presented attack does not require system reboot.”