'Blue Pill' Prototype Creates 100% Undetectable Malware

[bvonahsen]

Wonderfull, just wonderfull. <!--EZCODE EMOTICON START :( --><img src=http://www.ezboard.com/images/emoticons/frown.gif ALT=":("><!--EZCODE EMOTICON END--> <br><br> <!--EZCODE LINK START--><a href="http://www.eweek.com/article2/0,1895,1983037,00.asp" target="top">eWeek.com</a><!--EZCODE LINK END--><br><br>'Blue Pill' Prototype Creates 100% Undetectable Malware <br>By Ryan Naraine <br>June 28, 2006<br><br>A security researcher with expertise in rootkits has built a working prototype of new technology that is capable of creating malware that remains "100 percent undetectable," even on Windows Vista x64 systems.<br><br>Joanna Rutkowska, a stealth malware researcher at Singapore-based IT security firm COSEINC, says the new Blue Pill concept uses AMD's SVM/Pacifica virtualization technology to create an ultra-thin hypervisor that takes complete control of the underlying operating system.<br><br>Rutkowska plans to discuss the idea and demonstrate a working prototype for Windows Vista x64 at the SyScan Conference in Singapore on July 21 and at the Black Hat Briefings in Las Vegas on Aug. 3.<br><br>The Black Hat presentation will occur on the same day Microsoft is scheduled to show off some of the key security features and functionality being fitted into Vista.<br><br>Rutkowska said the presentation will deal with a "generic method" of inserting arbitrary code into the Vista Beta 2 kernel (x64 edition) without relying on any implementation bug.<br><br>VM Rootkits: The Next Big Threat? Click here to read more. <br><br>The technique effectively bypasses a crucial anti-rootkit policy change coming in Windows Vista that requires kernel-mode software to have a digital signature to load on x64-based systems.<br><br>The idea of a virtual machine rootkit isn't entirely new. Researchers at Microsoft Research and the University of Michigan have created a VM-based rootkit called "SubVirt" that is nearly impossible to detect because its state cannot be accessed by security software running in the target system.<br><br>Now, Rutkowska is pushing the envelope even more, arguing that the only way Blue Pill can be detected is if AMD's Pacifica technology is flawed.<br><br>"The strength of the Blue Pill is based on the SVM technology," Rutkowska explained on her Invisible Things blog. She contends that if generic detection could be written for the virtual machine technology, then Blue Pill can be detected, but it also means that Pacifica is "buggy."<br><br>Read more here about Microsoft's moves to hardens Vista against kernel-mode malware.<br><br>"On the other hand—if you would not be able to come up with a general detection technique for SVM based virtual machine, then you should assume, that you would also not be able to detect Blue Pill," she added.<br><br>"The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices," she explained.<br><br><br>Rutkowska stressed that the Blue Pill technology does not rely on any bug of the underlying operating system. "I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform," she added.<br><br>Blue Pill is being developed exclusively for COSEINC Research and will not be available for download. However, Rutkowska said the company is planning to organize trainings about Blue Pill and other technologies where the source code would be made available.<br><br>Rutkowska has previously done work on Red Pill, which can be used to detect whether code is being executed under a VMM (virtual machine monitor) or under a real environment. <p></p><i></i>

[Et in Arcadia ego]

Nice.. <p>____________________<br>Oderint, dum metuant</p><i></i>

[DireStrike]

So is it a flaw of Vista, AMD, or just the entire x64 platform? I guess that would be in order of least to most problematic, and it sounds like it's the last one...<br><br>A backdoor intentionally installed for TIA? That would make a lot of sense, considering it's a stupid idea - terrorists probably rarely run licenced, up-to-date equipment. <p></p><i>Edited by: <A HREF=http://p216.ezboard.com/brigorousintuition.showUserPublicProfile?gid=direstrike>DireStrike</A> at: 6/29/06 5:37 pm<br></i>

[bvonahsen]

It's an exploit of processor virtualization, at least that is my understanding. Basically, they firgured out how to hack, not the operating system, but the processor core. If I'm correct, it would affect only the new dual core processors, I could be wrong though.<br><br>The significance of "blue pill" is that it seems really unlikely that MS Vista will solve Windows' security issues any time soon. If the CIA, NSA and others aren't already using it I am sure they soon will be. <p></p><i></i>

[blanc]

bvonahshen, could you give me a three liner explanation of what this means to me? <p></p><i></i>

[slimmouse]

<br><br> An explanation for idiots please BV ? <!--EZCODE EMOTICON START ;) --><img src=http://www.ezboard.com/images/emoticons/wink.gif ALT=";)"><!--EZCODE EMOTICON END--> <p></p><i></i>

[Et in Arcadia ego]

It means that this technology can be embedded on your machine and there's no means available to determine if you are even infected much less be able to remove it.<br><br>Malware can record your keystrokes, give back-door access to your machine, basically enable someone else to do anything with your machine that you can.<br><br>This is a real problem, and most people aren't aware of the existing malware that's not exploiting what's mentioned here. <p>____________________<br>Oderint, dum metuant</p><i></i>

[bvonahsen]

Yeah, that's basically right. <br><br>It was perhaps a mistake to post this here, I'm not sure. But what I was thinking is that here is this technique that will make it possible for "evil doers", including the government, to have total control over every future PC. Even though it applies to just AMD processors it should also work on Intels . Kind of sobering and I thought people would like to know. <br><br>The woman who came up with this is a researcher and I sure hope the chip makers will have a fix. Or it will be an excuse for some other government action, hard to say. Probably does not affect anyone on the board because I doubt anyone here uses AMD dual core PCs.<br><br><!--EZCODE LINK START--><a href="http://www.eweek.com/article2/0,1895,1644414,00.asp" target="top">AMD Preps 'Pacifica' Virtualization Technology</a><!--EZCODE LINK END--><br><!--EZCODE QUOTE START--><blockquote><strong><em>Quote:</em></strong><hr>Virtualization technologies work by creating a sort of subring, a term given to the levels of interaction between the operating system and the hardware. Normally, Windows and other operating systems operate at "Ring 0," the level closest to the hardware. Virtualization software creates a subring, convincing Windows that it is still interacting at the Ring 0 level, but allowing the virtualization software to treat the OS like any other windowed application, Reynolds said. <br><br>VMware inserts its ESX operating environment underneath the virtualized operating systems as a means of controlling them. It's not clear how Intel plans to manage the virtualized operating systems, analysts said, although running the virtualization process in hardware would undoubtedly speed up the process.<hr></blockquote><!--EZCODE QUOTE END--><br><br>That's what virtualization is. You know, another possibility is the gov may require this technology installed so that they can advance the pentagons "total infomation awareness" program. <br><br>It reflects my current concerns about security because I'm looking for a new anti-virus, my old subscription is lapsing so I need a new one. This is something that is comming down the pipe so to speak. not here yet but definately a possible reality.<br><br>Just thought I'd crush any hope anyone had left... hehe... sorry... (being sacrcastic there). <p></p><i></i>

[greencrow0]

For some time now, I have accepted the fact that 'someone' can be watching every keystroke I make and every webpage that I browse.<br><br>One train of thought tells me that I should just carry on because it is the 'price of doing business' on the Internet.<br><br>The other train of thought tells me that at some point, I am just going to chuck the whole thing and get a new hobby and past time.<br><br>When I do the latter, I believe a lot of other people will be reaching the same conclusion and then they won't have any method of finding out what any of us are up to.<br><br><!--EZCODE EMOTICON START :smokin --><img src=http://www.ezboard.com/images/emoticons/smokin.gif ALT=":smokin"><!--EZCODE EMOTICON END--> <p></p><i></i>

[novistador]

thought I'd toss my two cents in<br><br>This method really isn't as undetectable as it may seem. From inside the emulated environment it is quite invisible, but there is no way of stopping the user from accessing his router / dsl modem logs or booting from a live cd such as knoppix.<br>The virtual machine must be kept in the primary HD partition or boot record for it to be bootable, so a user could simply boot knoppix from write-protected media, mount the primary partition, and remove the VM with antivirus software or a patch. The user will know something is funky when he sees traffic through the router that his firewall isn't reporting. There's no way to hide the net traffic generated by the VM from an external appliance, and thereis no way for the VM to hide it's own existance without being activated by the boot process.<br><br>Yet another good reason to use the firewall that comes with your dsl modem. <p></p><i></i>

[blanc]

novistador, many of us can only just manage to switch the thing on, crossing fingers that there won't be any funny messages saying we have performed an illegal action.<br><br>ps. Its not them knowing what I write that bothers me, its thinking someone might put incriminating stuff in it, without my knowledge. <p></p><i></i>