“The idea behind Blue Pill is simple,” says Joanna Rutkowska of invisible things. “Your operating system swallows the Blue Pill and it awakes inside the Matrix.”
No reboot is necessary. Everything appears to work as always… but it’s really under new management. Rutkowska’s Blue Pill hypervisor rootkit is calling the shots.
Rutkowska claims that, even with Blue Pill code in hand, you can’t detect it.
In fact, all Blue Pill requires is a machine… any machine… equipped with AMD’s SVM/Pacifica virtualization technology. Pacifica uses AMD’s Direct Connect Architecture to speed up virtualization at the chip level. AMD claims… or claimed… that Pacifica actually enhances security.
Part of that security advantage derives from Pacifica’s use of segregated on-chip memory tables. Neither operating systems nor old-school rootkits can access or manipulate chips at that level. But the Blue Pill can… and does.
That renders Windows Vista x64 helpless against the Blue Pill. To hammer home her point, Rutkowska inserts arbitrary code into the Vista Beta 2 kernel (x64 edition), negating Vista’s much ballyhooed policy for allowing only digitally-signed code to be loaded into the kernel.
But then again, Rutkowska says there’s no reason why the Blue Pill can’t take out any x64 roll outs of Linux or BSD either.
Windows Client Group chief Austin Wilson told Ellen Messmer of Computerworld that he considers the hardware-based Virtual Memory rootkit to be a “very real threat.”
When asked if her research was surreptitiously funded by Intel to help slow AMD’s march, Rutkowska demurely replied, “As to why I decided to choose AMD and not Intel - I followed the alphabetic order.”
Nonetheless, she conceded that the Blue Pill approach and others should work on Intel VT chips as well. She was right.
Dino Zovi of Matasano Security demonstrated his Intel-targeting rootkit at Black Hat 2006 in Las Vegas. Like the Blue Pill, Vitriol [pdf] can silently take over MacOS X using Intel VT-x on Intel Core Duo/Solo, without the Mac skipping a beat.
As Rutkowska might say, there’s no reason Zovi’s technique couldn’t be applied to other 64-bit carriers, including AMD, Windows Vista, Linux or BSD.
So how can you protect yourself from the Blue Pill, Vitriol and other hardware-based VM rootkits? Don’t run as Admin.
And wait to upgrade. You can bet that AMD and Intel will come up with fixes. After all, corporate lives are on the line.
If you must upgrade… forget about bragging rights for uptime.
Shut your 64-bit machines down. A lot. These rootkits are memory-resident.
Email Battles Backgrounder:
- Beyond Rootkits: World’s First Standalone Kernel Mode Bot?; Email Battles; 07 April 2006.
- Hacker Defender Rootkit Guru Kills Stealth Project; Email Battles; 13 March 2006.
- Rootkitted? Do NOT Re-Format That Hard Drive.; Email Battles; 14 February 2006.
- Rootkit Guru: AntiVirus Makes Me Do It; Email Battles; 20 December 2005.
- Sony’s rootkit without borders; NewsByte; Email Battles; 16 January 2006.
- Symantec caught embedding rootkits; NewsByte; Email Battles; 11 January 2006.
- Rootkit Guru: The Evil in Sony BMG; Email Battles; 15 December 2005.
- Adware’s Rootkit Focus: Preventing removal; NewsByte; Email Battles; 15 December 2005.
- Rootkits Unraveled; NewsByte; Email Battles; 13 December 2005.
- Rootkit Guru: Win 9x/ME Are Hopeless; Email Battles; 14 December 2005.
- Rootkitters Lay in Wait for Vista 2006; Email Battles; 13 December 2005.
- The Death of Sony BMG; Email Battles; 15 November 2005.
- Signature War: Rootkits vs Antivirus; Email Battles; 13 December 2005.
- How To Dig Out Rootkits; Email Battles; 22 March 2005.
2051
19 comments
Comments feed for this article
August 9th, 2006 at 10:21 am
Pingback from Techhawking » Blog Archive » The Blue Pill - 100% undectable malware
August 13th, 2006 at 10:50 pm
Pingback from third world county » Blog Archive » Critical Issue
August 9th, 2006 at 7:00 am
1c3d0g
Great, so that means we’re damned if we upgrade, damned if we don’t. What kind of a messed up future are we going to have here?!?
August 9th, 2006 at 7:57 am
Tony Lawrence
I assume you mean “shut down and LEAVE IT OFF”
I’ve been wondering if a system already running under a hypervisor like Vmware’s ESX server would be vulnerable to this?
Also: if a machine’s bios were EFI (like the new Macs), couldn’t something like this take such complete control that even booting from CD wouldn’t unlatch it?
Also, I wonder about detection issues: the computer can be a bald faced liar, but the wall clock doesn’t lie. Wouldn’t it be possible to detect a compromised system by code timing? Difficult, I suppose..
August 9th, 2006 at 8:34 am
BJ
@1c3d0g: The road to the future is filled with potholes.
@Tony:
Not to worry. The same folks who got us into this mess will get us out… I hope.
August 9th, 2006 at 10:29 am
land0
It’s my understanding that you need to be running as the “root/administrator” user in order for this virus to be effective.
“Rutkowska explained that the security systems in Vista can be sidestepped by using a piece of malicious software she had created and dubbed as Blue Pill. She also admitted that she had to perform the hack in higher privileged administrator mode rather than the lower privileged user account control.”
Taken from From http://www.techtree.com/techtree/jsp/article.jsp?article_id=75054&cat_id=582
That being the case this will only effect Nix admins who use the root account as thier personal login. Can I see a show of hands of who does this on a Nix system? …Crickets chirping… thought not.
My point?
When “Rutkowska says there’s no reason why the Blue Pill can’t take out any x64 roll outs of Linux or BSD either.” We seem to be missing CRUCIAL information. Such as “She also admitted that she had to perform the hack in higher privileged administrator mode rather than the lower privileged user account control.” Details, details…..
August 9th, 2006 at 10:52 am
evox
This is a grim look on the future of computer security. I’ve started to compile a list of resources and programs to help protect computers against rootkits at http://www.rootkitshield.com/ But now after reading this article, I’m not even sure if there are any good ways to protect against this type of threat.
I suppose an intrusion detection system could detect packets going out to the rootkit creator, but if they have control over the hardware itself with this type of rootkit, then they can probably just run their own OS on the processor without the original OS ever knowing.
In the battle of attackers vs defenders of computer systems it looks like the attackers are ahead once again.
August 9th, 2006 at 11:04 am
BJ Gillette
Hi land0.
Thanks for adding important details. But I must sadly correct you.
RE: “…this will only effect Nix admins who use the root account as thier personal login. Can I see a show of hands of who does this on a Nix system? …Crickets chirping… thought not.”
Should say: “…this will only effect Nix admins who use the root account as thier personal login. Can I see a show of hands of who admit to doing this on a Nix system? …Crickets chirping… thought not.”
Thanks to the success of Linux, lots of new and frustrated admins are committing early-Windows administrative gaffes… especially when installing new software.
Don’t kid yourself. The sins of Windows are being visited on Nix.
August 9th, 2006 at 1:11 pm
BJ Gillette
Hi evox.
Rutkowska and Zovi are white hats. Vitriol and Blue Pill are demonstrations, not attacks.
Rutkowska says she believes “that Blue Pill technology will (very soon) allow for creating 100% undetectable malware, which is not based on obscurity of the concept. The working prototype I have implements the most important step towards creating such malware, namely it allows to move the underlying operating system, on the fly, into a secure virtual machine. The phrase “on the fly” is the most important thing about Blue Pill - it makes it possible to install a blue pill based malware without restarting the system and without any BIOS or boot sector modifications. I wish all those people who were posting about how easy it would be to detect Blue Pill by booting a system from a clean CD, spent more time on reading my original blog article, instead creating useless posts… ”
This is a step in the evolution of computer technology. Cars can be dangerous, too. That doesn’t stop intelligent people from driving them well.
August 9th, 2006 at 5:59 pm
land0
2196(Warning do not read this is if you always run as root on a Nix system as to avoid frustration. It will only serve to frustrate you more and possibly strike fear into your heart! You have been warned.)
Hello BJ Gillette,
Interesting point, that you make there with the admit to doing… addition to my above comment.
“Thanks to the success of Linux, lots of new and frustrated admins are committing early-Windows administrative gaffes… especially when installing new software.
Don’t kid yourself. The sins of Windows are being visited on Nix.”
I do see the “real world” point you make here and it is a good one.
Here are my thoughts on it.
Current M$ practices are to run by default with admin privileges for many reasons the most well known is for the sake of convenience(install hardware, software etc…). You can try to make current versions of Windows use the more secure Nix type methods but you would be facing a lot of work. So it is fair to say that you would really have to want to secure your system in that way. Since M$ ships its product insecure by default it is safe to say that it is their fault the system runs that way by default. The “SysAdmin” is clearly not responsible for M$ policy and have come to accept the insecure nature of M$ products they are given. In short it is easy to say “it is not the SysAdmins fault”. Their bosses see their point as there is no where for the blame to fall as M$ offers no warranty of any kind on their products.
Said bosses decide that it is time to look to a Nix system as a solution.
Enter the Nix system.
By default it uses a much more secure approach to authentication which to the previously innocent SysAdmin is frustrating. They hate having to remember that pesky root password or type their own password to change system wide settings. So they do as you said above and solve their frustration by just running as the root user all the time and tell no one. Within a short period of time they are fired, do you know why? Because it is now officially their fault that the system broke. They were warned cautioned and told to never run as the root user in every training class, manual, howto and by every consultant that ever talked to them about the Nix based authentication. Unless it was absolutely necessary and only for very short periods. Keep in mind here that there is a vast difference between providing root access to a process that allows for the installation of software or hardware and running exclusively as the root user.
So for the “silent minority” of frustrated and previously blameless M$ SysAdmins that are taking the approach you mentioned with a Nix system I have only these two things to say.
1.) You are going to get caught! It is inevitable.
and
2.) Unemployment sucks man!
August 10th, 2006 at 8:48 am
BJ Gillette
Hi land0.
Doggone it, land0, you’re getting close to gutting my article for today.
Here’s a hint: Lots of networks in small businesses are run as needed by the guy or gal who can best understand the screen prompts. No matter what happens to their networks, their jobs are 100% secure.
August 10th, 2006 at 9:16 am
Rascalson
BJG: “Here’s a hint”
And how many of those “just happened to be there” guys and gals that can “understand the screen prompts”( did you really write that? WOW) are likely to be running any form of *nix? Hehhehe thought so.
August 10th, 2006 at 9:51 am
BJ Gillette
Hi Rascalson.
RE: How many possibly clueless folks are running Nix?
Suffice it to say… Most everybody who supports single function network appliances in the small office market knows exactly what I’m talking about.
You’d be thunderstruck. I was.
Would you guys please save these “non-techies can’t possibly run Nix” comments for the piece I’m working on? Second thought… keep going. You’re giving me a ton of material.
August 10th, 2006 at 10:25 am
Matthew Vea
Just about everyone here already understands the nuances of rootkits. But when you’re trying to tell a non-tech what rootkits do, they often give us the open mouthed stare. Check out OmniNerd for an easy primer on rootkit technologies for educating your hard-headed users/supervisors.
http://www.omninerd.com/2005/11/22/articles/43
August 10th, 2006 at 11:13 am
BJ Gillette
Hi Matthew.
Thanks for the heads-up. We ran your teaser for that article in December 2005: Rootkits Unraveled.
I’ve found that most of the uninformed respond affirmatively when I whisper these magic words: “Sony BMG.”
fyi: I just added links to some of our past pieces on rootkits. Of special interest: our Rootkit Guru series. Those were authored by the creator of Hacker Defender, with minimal cleanup by Yours Truly.
August 10th, 2006 at 11:50 am
land0
Hi land0.
Doggone it, land0, you’re getting close to gutting my article for today.
Really? I plead the great minds… defense. hehe
Here’s a hint: Lots of networks in small businesses are run as needed by the guy or gal who can best understand the screen prompts. No matter what happens to their networks, their jobs are 100% secure.
Looking forward to reading this one.
August 10th, 2006 at 4:12 pm
BJ Gillette
Hey land0 and Rascalson.
I scrambled and interviewed one of our Linux root abusing customers, just for you guys: Confessions of a Real-World Linux Admin: “I Always Login As root.”
At a minimum, I’m sure you’ll agree that Barbara Walters’ job is secure.
2cbbAugust 11th, 2006 at 5:48 am
Samiam
“Undetectable”. “Memory resident”. Um. Presumably, the “blue pill” code is either in memory that can be read by some system-level program, or has made a finite amount of memory unavailable, and, in theory, unaccounted for (by tabulation of total memory allocated to current OS and application functions)? Can someone explain either why that last statement is fallacious, or how the first two claims are not in conflict? Thanks.
August 11th, 2006 at 8:52 am
CThomas
“unaccounted for”
Um. Theoretically Blue Pill hypervisor filters everything the o/s sees. Thanks.