Friday, June 30, 2006

100% Undetectable Rootkit based on Hardware Virtualization Technologies

The Blue Pill technology does not rely on any bug [like buffer overflow] of the underlying operating system [,but just exploits some design flaw]. I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform... This is all possible thanks to the latest virtualization technology from AMD called SVM/Pacifica. (Joanna Rutkowska's Blog)

I decided to implement Blue Pill on AMD64 processor and I spent my time on doing this... Indeed it *seems* possible to implement Blue Pill on Intel VT, but I haven't done this yet... Also, at Black Hat there will be another presentation, by Dino Dai Zovi, about VT based malware. But I don't know if (and how) Dino's work is similar to Blue Pill or not. (her blog's comments)

Generic detection could be written for the virtual machine technology, then Blue Pill can be detected, but it also means that Pacifica is "buggy."... Blue Pill does *not* rely on any bug in Pacifica neither in OS... Blue Pill uses only the documented features of Pacifica.. (her blog's comments)

Blue Pill is being developed exclusively for COSEINC Research and will not be available for download... Papers about blue pill (and more details) will be available after SyScan and Black Hat USA conferences... or to get more details you have to either come to SyScan or Black Hat ;) (her blog's comments)
I think it is not theoretically new. It is something like defective firmwares, CPU-level instead. [I don't want to separate the words 'bug' and 'flaw'.] Sure this is a security flaw (bug) but not something like buffer-overflows. This bug is here because of poor design. If buffer overflow is like a break in a wall(!), these bugs are similar to lack of the wall itself!

I also think that '100% undetectable' is unreal. By the way we will wait for the presentation.

See Kurt Wismer's post: 'the blue pill is NOT 100% undetectable'

1 Comments:

Blogger kurt wismer said...

i would agree with you about the 100% undetectable claim... it's kind of like saying 100% protection (which would clearly be snake oil)...

as for the newness, well, i'm not aware of any real-life malware or even any other research malware that implements stealth using hardware based virtualization technology...

7:53 AM  

Post a Comment

<< Home