By Lisa Vaas
June 28, 2007
Joanna Rutkowska, the security researcher who one year ago built a
working prototype, code-named Blue Pill, of a rootkit capable of
creating malware that remains "100 percent undetectable," has tacitly
conceded to a group of security researchers that the detector code they
cooked up in the past month will in fact ferret out Blue Pillat this
point in its development, at any rate.
Tom Ptacek, security researcher and founder of New York-based Matasano
Security, posted a note on June 27 saying that he, along with his fellow
security researchers who had worked on hypervisor rootkit detection,
were inviting Rutkowska to a challenge at Black Hat Briefings in Las
Vegas sometime on Aug. 1 or 2.
"Joanna, we respectfully request terms under which you'd agree to an
'undetectable rootkit detection challenge.' We'll concede almost
anything reasonable; we want the same access to the (possibly-)infected
machine that any anti-virus software would get," Ptacek wrote.
Rutkowska posted a message saying she was ready for the challenge. But
she stipulated that the challenging researchersPtacek, Nate Lawson of
Root Labs, Symantec researcher Peter Ferrie and Matasano's Dino Dai
Zovifund two people, full-time for six months at $200 per hour, to
develop the rootkit to a state of readiness.
"She says she'll have completed it enough to compete in conference by
then," Lawson said to eWEEK in an interview. "For $416,000 she wants us
to pay her to write a rootkit which we're confident we'll be able to
detect. We spent one one-person month coding the detector, and it will
take her 16 times longer than it took us to write the detector, and we
still believe we'll win."
"Nobody said that writing rootkits is an easy process," Rutkowska
retorted in an e-mail exchange with eWEEK. "It is not, it requires time
to make a rootkit something more than a prototype."
Ptacek said Rutkowska, who has lately founded Invisible Things Lab,
based in Warsaw, Poland, by asking for more time, money and resources to
make the rootkit undetectable has conceded that it can indeed be
"In her judgment, we are likely to be able to detect Blue Pill at Black
Hat. We'd go a step further: We can detect arbitrary hypervisor
rootkits, not just Blue Pill. But on the topic of Joanna's Blue Pill
work, it appears that Matasano, Root Labs, Invisible Things Lab and
Symantec agree. It's detectable," he said.
Rutkowska said in her posting that what she has right now is a prototype
that would require $384,000 to turn into something "hard to detect."
"Overtly implying that what she has now ISN'T hard to detect," Ptacek
said in an e-mail exchange. "It has cost us a month of spare time to get
to the point where we can detect what Joanna has now. If it costs us a
month to detect the $400,000 'commercial-grade' Blue Pill, that's a
16-to-1 advantage we apparently hold. The new name of this story is 'how
to lose an arms race.'"
"Ptacek is free to derive his own conclusions, but that will always be
thathis interpretation of what I said," Rutkowska said in her e-mail
exchange. "I really do not see how this debate leads anywhere. We will
present our research and thoughts on the feasibility of detecting
virtualization-based malware during our talk at Black Hat."
Besides, Rutkowska pointed out, raising the money required to
"weaponize" Blue Pill shouldn't be much of a challenge, given the
vendors that have hooked onto the virtualization market.
"If [Ptacek] indeed feels he's so right, he should not have much
problems convincing some big companies to sponsor the contestI can name
at least several big companies that would be very interested in proving
the virtualization-based malware is not a threat," she said.
Blue Pill was based on Rutkowska's work with Advanced Micro Devices'
SVM/Pacifica virtualization technology.
Working independently but in parallel, Matasano's Dai Zovi also
presented a hypervisor rootkit, "Vitriol," for Intel's VT-x extensions
at Black Hat in 2006, at the same conference at which Rutkowska
presented Blue Pill.
Lawson described the "undetectable" rootkit's fatal flaw this way:
A rootkit has to deal with a metric called cross-section, which is the
amount of a given system that a rootkit has to emulate or hide from a
detector technology so that the rootkit can remain invisible. For
example, a rootkit that was just a single byte modified in an obscure
part of a system is much harder to detect than a complex program with
millions of lines of code that hooks into the system all over the place.
The simplest rootkit will install script, or patch a Web server, or a
kernel, or BIOS or firmwareall different layers at which rootkits can be
The simpler the rootkit, the smaller the part of the system it will
affect, and the smaller part of the system that it will then have to
hide from, Lawson said.
The hypervisor level is the layer between the operating system and the
hardware itself. Both Vitriol and Blue Pill installed at the hypervisor
level. To stay invisible at the hypervisor level, a rootkit has to
emulate all the underlying hardware while it goes about whatever
mischief is its main purpose.
When it executes, the rootkit has to adjust timer values measured by the
operating system, subtracting out the cycles it used to do its own work.
That's just one small area of the work a hypervisor rootkit has to do to
hide itself, Lawson said.
What makes Blue Pill even more unwieldy is that Rutkowska chose X86
hardware, which has a "huge" cross-section, Lawson said. Imagine how
many different versions of AMD hardware, chip sets, PC manufacturers and
other variables a rootkit has to contend with, and it begins to become
clear that a rootkit author has similar problems as Microsoft does in
dealing with hardware drivers.
Unfortunately for Blue Pill, it has to do more than function as a driver
does; it has to function identically to the hardware drivers it's trying
to emulate. Again, "[With] a large variety of hardware to emulate, it
becomes [unwieldy]," Lawson said.
"The advantage is always fundamentally in the detector's hands. The
system is already rigged from the beginning, because [Rutkowska] chose
the hypervisor level for implementing her rootkit. She chose poorly
because she chose a level so complex," he said.
The researchers' work has to date shown that hypervisor rootkits, as
well as rootkits that target the equally complex layer of BIOS, are
detectable. The group doesn't plan to turn the detector code they cooked
up into a product, given that the only two rootkits known to work at
these levels are proofs of concept, they said.
Instead, Ferrie, Ptacek and Lawson plan to get up on stage at Black Hat
for free, Ptacek said. "And, for free, we're going to explain what we do
to detect hypervisor malware. And, for free, we're going to show the
code we use to do it."
None of this is meant to disparage Rutkowska's groundbreaking work,
Ptacek emphasized. "I hope that I'm not coming across as disrespectful
of Joanna. She's smarter than me, but wrong," he said.
If Rutkowska in fact manages to perfect her Blue Pill prototype before
Black Hat, Ptacek said, the challenge is on. "We'd love it if she'd take
us up on our challenge. If it takes longer, we're happy to do it some
other time," he said.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com