Researchers: 'Blue Pill' Rootkit Detectable

Researchers: 'Blue Pill' Rootkit Detectable
Researchers: 'Blue Pill' Rootkit Detectable,1895,2152137,00.asp 

By Lisa Vaas
June 28, 2007

Joanna Rutkowska, the security researcher who one year ago built a 
working prototype, code-named Blue Pill, of a rootkit capable of 
creating malware that remains "100 percent undetectable," has tacitly 
conceded to a group of security researchers that the detector code they 
cooked up in the past month will in fact ferret out Blue Pillat this 
point in its development, at any rate.

Tom Ptacek, security researcher and founder of New York-based Matasano 
Security, posted a note on June 27 saying that he, along with his fellow 
security researchers who had worked on hypervisor rootkit detection, 
were inviting Rutkowska to a challenge at Black Hat Briefings in Las 
Vegas sometime on Aug. 1 or 2.

"Joanna, we respectfully request terms under which you'd agree to an 
'undetectable rootkit detection challenge.' We'll concede almost 
anything reasonable; we want the same access to the (possibly-)infected 
machine that any anti-virus software would get," Ptacek wrote.

Rutkowska posted a message saying she was ready for the challenge. But 
she stipulated that the challenging researchersPtacek, Nate Lawson of 
Root Labs, Symantec researcher Peter Ferrie and Matasano's Dino Dai 
Zovifund two people, full-time for six months at $200 per hour, to 
develop the rootkit to a state of readiness.

"She says she'll have completed it enough to compete in conference by 
then," Lawson said to eWEEK in an interview. "For $416,000 she wants us 
to pay her to write a rootkit which we're confident we'll be able to 
detect. We spent one one-person month coding the detector, and it will 
take her 16 times longer than it took us to write the detector, and we 
still believe we'll win."

"Nobody said that writing rootkits is an easy process," Rutkowska 
retorted in an e-mail exchange with eWEEK. "It is not, it requires time 
to make a rootkit something more than a prototype."

Ptacek said Rutkowska, who has lately founded Invisible Things Lab, 
based in Warsaw, Poland, by asking for more time, money and resources to 
make the rootkit undetectable has conceded that it can indeed be 

"In her judgment, we are likely to be able to detect Blue Pill at Black 
Hat. We'd go a step further: We can detect arbitrary hypervisor 
rootkits, not just Blue Pill. But on the topic of Joanna's Blue Pill 
work, it appears that Matasano, Root Labs, Invisible Things Lab and 
Symantec agree. It's detectable," he said.

Rutkowska said in her posting that what she has right now is a prototype 
that would require $384,000 to turn into something "hard to detect."

"Overtly implying that what she has now ISN'T hard to detect," Ptacek 
said in an e-mail exchange. "It has cost us a month of spare time to get 
to the point where we can detect what Joanna has now. If it costs us a 
month to detect the $400,000 'commercial-grade' Blue Pill, that's a 
16-to-1 advantage we apparently hold. The new name of this story is 'how 
to lose an arms race.'"

"Ptacek is free to derive his own conclusions, but that will always be 
thathis interpretation of what I said," Rutkowska said in her e-mail 
exchange. "I really do not see how this debate leads anywhere. We will 
present our research and thoughts on the feasibility of detecting 
virtualization-based malware during our talk at Black Hat."

Besides, Rutkowska pointed out, raising the money required to 
"weaponize" Blue Pill shouldn't be much of a challenge, given the 
vendors that have hooked onto the virtualization market.

"If [Ptacek] indeed feels he's so right, he should not have much 
problems convincing some big companies to sponsor the contestI can name 
at least several big companies that would be very interested in proving 
the virtualization-based malware is not a threat," she said.

Blue Pill was based on Rutkowska's work with Advanced Micro Devices' 
SVM/Pacifica virtualization technology.

Working independently but in parallel, Matasano's Dai Zovi also 
presented a hypervisor rootkit, "Vitriol," for Intel's VT-x extensions 
at Black Hat in 2006, at the same conference at which Rutkowska 
presented Blue Pill.

Lawson described the "undetectable" rootkit's fatal flaw this way:

A rootkit has to deal with a metric called cross-section, which is the 
amount of a given system that a rootkit has to emulate or hide from a 
detector technology so that the rootkit can remain invisible. For 
example, a rootkit that was just a single byte modified in an obscure 
part of a system is much harder to detect than a complex program with 
millions of lines of code that hooks into the system all over the place.

The simplest rootkit will install script, or patch a Web server, or a 
kernel, or BIOS or firmwareall different layers at which rootkits can be 

The simpler the rootkit, the smaller the part of the system it will 
affect, and the smaller part of the system that it will then have to 
hide from, Lawson said.

The hypervisor level is the layer between the operating system and the 
hardware itself. Both Vitriol and Blue Pill installed at the hypervisor 
level. To stay invisible at the hypervisor level, a rootkit has to 
emulate all the underlying hardware while it goes about whatever 
mischief is its main purpose.

When it executes, the rootkit has to adjust timer values measured by the 
operating system, subtracting out the cycles it used to do its own work. 
That's just one small area of the work a hypervisor rootkit has to do to 
hide itself, Lawson said.

What makes Blue Pill even more unwieldy is that Rutkowska chose X86 
hardware, which has a "huge" cross-section, Lawson said. Imagine how 
many different versions of AMD hardware, chip sets, PC manufacturers and 
other variables a rootkit has to contend with, and it begins to become 
clear that a rootkit author has similar problems as Microsoft does in 
dealing with hardware drivers.

Unfortunately for Blue Pill, it has to do more than function as a driver 
does; it has to function identically to the hardware drivers it's trying 
to emulate. Again, "[With] a large variety of hardware to emulate, it 
becomes [unwieldy]," Lawson said.

"The advantage is always fundamentally in the detector's hands. The 
system is already rigged from the beginning, because [Rutkowska] chose 
the hypervisor level for implementing her rootkit. She chose poorly 
because she chose a level so complex," he said.

The researchers' work has to date shown that hypervisor rootkits, as 
well as rootkits that target the equally complex layer of BIOS, are 
detectable. The group doesn't plan to turn the detector code they cooked 
up into a product, given that the only two rootkits known to work at 
these levels are proofs of concept, they said.

Instead, Ferrie, Ptacek and Lawson plan to get up on stage at Black Hat 
for free, Ptacek said. "And, for free, we're going to explain what we do 
to detect hypervisor malware. And, for free, we're going to show the 
code we use to do it."

None of this is meant to disparage Rutkowska's groundbreaking work, 
Ptacek emphasized. "I hope that I'm not coming across as disrespectful 
of Joanna. She's smarter than me, but wrong," he said.

If Rutkowska in fact manages to perfect her Blue Pill prototype before 
Black Hat, Ptacek said, the challenge is on. "We'd love it if she'd take 
us up on our challenge. If it takes longer, we're happy to do it some 
other time," he said.

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. 

Site design & layout copyright © 1986-2014 CodeGods