Blue pill (malware)
Encyclopedia
Blue Pill is the codename for a controversial rootkit
based on x86 virtualization
. Blue Pill originally required AMD-V (Pacifica) virtualization support, but was later ported to support Intel VT-x (Vanderpool) as well. It was designed by Joanna Rutkowska
and originally demonstrated at the Black Hat Briefings
on August 3, 2006, with a reference implementation for the Microsoft Windows Vista kernel.
and virtualizing the rest of the machine under it. The previous operating system would still maintain its existing references to all devices and files, but nearly anything, including hardware interrupts, requests for data and even the system time could be intercepted (and a fake response sent) by the hypervisor.
Joanna Rutkowska
claims that, since any detection program could be fooled by the hypervisor, such a system could be "100% undetectable". Since AMD virtualization is seamless by design, a virtualized guest is not supposed to be able to query whether it is a guest or not. Therefore, the only way Blue Pill could be detected is if the virtualization implementation were not functioning as specified.
This assessment, repeated in numerous press articles, is disputed: AMD issued a statement dismissing the claim of full undetectability. Some other security researchers and journalists also dismissed the concept as implausible. Virtualization could be detected by a timing attack
relying on external sources of time.
In 2007, a group of researchers led by Thomas Ptacek of Matasano Security challenged Rutkowska to put Blue Pill against their rootkit detector software at that year's Black Hat conference, but the deal was deemed a no-go following Rutkowska's request for $384,000 in funding as a prerequisite for entering the competition. Rutkowska and Alexander Tereshkin countered detractors' claims during a subsequent Black Hat speech, arguing that the proposed detection methods were inaccurate.
The source code for Blue Pill has since been made public, although under a restrictive license: Any unauthorized use (including publishing and distribution) of this software requires a valid license from the copyright holder. This software has been provided for the educational use only during the Black Hat training and conference.
Rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
based on x86 virtualization
X86 virtualization
In computing, x86 virtualization is the facility that allows multiple operating systems to simultaneously share x86 processor resources in a safe and efficient manner, a facility generically known as hardware virtualization...
. Blue Pill originally required AMD-V (Pacifica) virtualization support, but was later ported to support Intel VT-x (Vanderpool) as well. It was designed by Joanna Rutkowska
Joanna Rutkowska
Joanna Rutkowska is a Polish security researcher, primarily known for her research on low-level security and stealth malware.She became known after the Black Hat Briefings conference in Las Vegas in August 2006, where Rutkowska presented an attack against Vista kernel protection mechanism, and also...
and originally demonstrated at the Black Hat Briefings
Black Hat Briefings
The Black Hat Conference is a computer security conference that brings together a variety of people interested in information security. Representatives of federal agencies and corporations attend along with hackers. The Briefings take place regularly in Las Vegas, Barcelona and Tokyo...
on August 3, 2006, with a reference implementation for the Microsoft Windows Vista kernel.
Overview
The Blue Pill concept is to trap a running instance of the operating system by starting a thin hypervisorHypervisor
In computing, a hypervisor, also called virtual machine manager , is one of many hardware virtualization techniques that allow multiple operating systems, termed guests, to run concurrently on a host computer. It is so named because it is conceptually one level higher than a supervisory program...
and virtualizing the rest of the machine under it. The previous operating system would still maintain its existing references to all devices and files, but nearly anything, including hardware interrupts, requests for data and even the system time could be intercepted (and a fake response sent) by the hypervisor.
Joanna Rutkowska
Joanna Rutkowska
Joanna Rutkowska is a Polish security researcher, primarily known for her research on low-level security and stealth malware.She became known after the Black Hat Briefings conference in Las Vegas in August 2006, where Rutkowska presented an attack against Vista kernel protection mechanism, and also...
claims that, since any detection program could be fooled by the hypervisor, such a system could be "100% undetectable". Since AMD virtualization is seamless by design, a virtualized guest is not supposed to be able to query whether it is a guest or not. Therefore, the only way Blue Pill could be detected is if the virtualization implementation were not functioning as specified.
This assessment, repeated in numerous press articles, is disputed: AMD issued a statement dismissing the claim of full undetectability. Some other security researchers and journalists also dismissed the concept as implausible. Virtualization could be detected by a timing attack
Timing attack
In cryptography, a timing attack is a side channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms...
relying on external sources of time.
In 2007, a group of researchers led by Thomas Ptacek of Matasano Security challenged Rutkowska to put Blue Pill against their rootkit detector software at that year's Black Hat conference, but the deal was deemed a no-go following Rutkowska's request for $384,000 in funding as a prerequisite for entering the competition. Rutkowska and Alexander Tereshkin countered detractors' claims during a subsequent Black Hat speech, arguing that the proposed detection methods were inaccurate.
The source code for Blue Pill has since been made public, although under a restrictive license: Any unauthorized use (including publishing and distribution) of this software requires a valid license from the copyright holder. This software has been provided for the educational use only during the Black Hat training and conference.
See also
- Red Pill - a technique to detect the presence of a virtual machine also developed by Joanna RutkowskaJoanna RutkowskaJoanna Rutkowska is a Polish security researcher, primarily known for her research on low-level security and stealth malware.She became known after the Black Hat Briefings conference in Las Vegas in August 2006, where Rutkowska presented an attack against Vista kernel protection mechanism, and also...
.http://invisiblethings.org/papers/redpill.html
External links
- Introducing the Blue Pill by Joanna Rutkowska
- InternetNews - Blackhat takes Vista to Task
- Heading Off the Hackers - Business Week, August 10, 2006
- Blue Pill, Episode 54 of the Security NowSecurity NowSecurity Now! is a weekly podcast hosted by Leo Laporte and Steve Gibson. The first episode was released on 19 August 2005.Released each Thursday, Security Now! consists of a discussion between Gibson and Laporte of issues of computer security and, conversely, insecurity...
Podcast - Black Hat 2006 Presentation
- Source code
- Detecting and Blocking Blue Pill, Vitriol etc