“The idea behind Blue Pill is simple,” says Joanna Rutkowska of invisible things. “Your operating system swallows the Blue Pill and it awakes inside the Matrix.”
No reboot is necessary. Everything appears to work as always… but it’s really under new management. Rutkowska’s Blue Pill hypervisor rootkit is calling the shots.
Rutkowska claims that, even with Blue Pill code in hand, you can’t detect it.
In fact, all Blue Pill requires is a machine… any machine… equipped with AMD’s SVM/Pacifica virtualization technology. Pacifica uses AMD’s Direct Connect Architecture to speed up virtualization at the chip level. AMD claims… or claimed… that Pacifica actually enhances security.
Part of that security advantage derives from Pacifica’s use of segregated on-chip memory tables. Neither operating systems nor old-school rootkits can access or manipulate chips at that level. But the Blue Pill can… and does.
That renders Windows Vista x64 helpless against the Blue Pill. To hammer home her point, Rutkowska inserts arbitrary code into the Vista Beta 2 kernel (x64 edition), negating Vista’s much ballyhooed policy for allowing only digitally-signed code to be loaded into the kernel.
But then again, Rutkowska says there’s no reason why the Blue Pill can’t take out any x64 roll outs of Linux or BSD either.
Windows Client Group chief Austin Wilson told Ellen Messmer of Computerworld that he considers the hardware-based Virtual Memory rootkit to be a “very real threat.”
When asked if her research was surreptitiously funded by Intel to help slow AMD’s march, Rutkowska demurely replied, “As to why I decided to choose AMD and not Intel - I followed the alphabetic order.”
Nonetheless, she conceded that the Blue Pill approach and others should work on Intel VT chips as well. She was right.
Dino Zovi of Matasano Security demonstrated his Intel-targeting rootkit at Black Hat 2006 in Las Vegas. Like the Blue Pill, Vitriol [pdf] can silently take over MacOS X using Intel VT-x on Intel Core Duo/Solo, without the Mac skipping a beat.
As Rutkowska might say, there’s no reason Zovi’s technique couldn’t be applied to other 64-bit carriers, including AMD, Windows Vista, Linux or BSD.
So how can you protect yourself from the Blue Pill, Vitriol and other hardware-based VM rootkits? Don’t run as Admin.
And wait to upgrade. You can bet that AMD and Intel will come up with fixes. After all, corporate lives are on the line.
If you must upgrade… forget about bragging rights for uptime.
Shut your 64-bit machines down. A lot. These rootkits are memory-resident.
Email Battles Backgrounder:
- Beyond Rootkits: World’s First Standalone Kernel Mode Bot?; Email Battles; 07 April 2006.
- Hacker Defender Rootkit Guru Kills Stealth Project; Email Battles; 13 March 2006.
- Rootkitted? Do NOT Re-Format That Hard Drive.; Email Battles; 14 February 2006.
- Rootkit Guru: AntiVirus Makes Me Do It; Email Battles; 20 December 2005.
- Sony’s rootkit without borders; NewsByte; Email Battles; 16 January 2006.
- Symantec caught embedding rootkits; NewsByte; Email Battles; 11 January 2006.
- Rootkit Guru: The Evil in Sony BMG; Email Battles; 15 December 2005.
- Adware’s Rootkit Focus: Preventing removal; NewsByte; Email Battles; 15 December 2005.
- Rootkits Unraveled; NewsByte; Email Battles; 13 December 2005.
- Rootkit Guru: Win 9x/ME Are Hopeless; Email Battles; 14 December 2005.
- Rootkitters Lay in Wait for Vista 2006; Email Battles; 13 December 2005.
- The Death of Sony BMG; Email Battles; 15 November 2005.
- Signature War: Rootkits vs Antivirus; Email Battles; 13 December 2005.
- How To Dig Out Rootkits; Email Battles; 22 March 2005.