Q&A: Stealth malware researcher Joanna Rutkowska discusses her interest in computer security, the threat from rootkits and why the world is not ready for virtual machine technology.
Earlier this year, stealth malware researcher Joanna Rutkowska created a stir at the Black Hat Briefings
when she demonstrated a way to infect Windows Vista with a rootkit and introduced Blue Pill, a new concept that uses AMDs SVM/Pacifica virtualization technology to create "100 percent undetectable malware."
In this interview with eWEEK senior editor Ryan Naraine, Rutkowska talks about her interest in computer security, the reality of stealth malware threats, the risks associated with hardware virtualization and why the anti-virus industry comes up short.
For the benefit of readers who may not have heard about you, can you introduce yourself?
Im a security researcher focusing on stealth technology and system compromise detection. This includes topics like kernel rootkits, stealth malware and covert network communications. I currently work for COSEINC, a Singapore-based IT security company. I live in Warsaw, Poland.
At what age did you get your first computer? Can you describe it?
I think I was 11 when the first computer appeared at my home. It was the PC AT-286, 2MB of RAM and 40MB of hard disk, and it ran with blazing speed of about 16 MHz, if I remember correctly. Actually, that was a high-end machine in those days (beginning of 1990s). However, because of the poor graphics capabilities (Hercules card), I couldnt run most of the games on that computer, so, very quickly, I started my adventures with programming, first with BASIC.
What prompted your interest in computer security?
I have always been interested in how things work. So, when I started programming, I naturally became interested in how the operating system worked. I started learning x86 assembler (on MS-DOS back in those days) and got involved in virus research. Then, for a few years, I broke off from security, focusing on stuff like math and Artificial Intelligence. Then I became interested in networking, Linux and system programming and that eventually brought me back into security, this time focusing on exploit development for Linux x86 and then Win32.
After some time, I gravitated toward the what-to-do-after-successful-exploitation field (kernel backdoors, rootkits, covert channels, etc.) and how to defend against it. But I must say that I have always considered exploit-writing as a very sophisticated art, and I have always had lots of respect for people who could create reliable, "offset-independent" exploits. Theyre very aesthetically pleasing.
On your primary machine, what OS is running? What kinds of security software are you using?
On my primary machine, I run Windows XP x64. I dont use any anti-virus products to secure any of my machines. The reasonI just dont like their approach, which is to block only known malware. Needless to say, I also dont believe in all those AI-based Host Intrusion Detection Systems to stop the unknown attack vectors. So, I just try to be careful when surfing, use NoScript, never open suspicious e-mails or PowerPoint/PDF documents
Of course, Im still aware that its not enough, as somebody can embed a very reliable and "silent" zero-day exploit for my .TXT editor in some README file. Or that they can find a bug in my Wi-Fi driver. Or an attacker can inject an exploit for my browser after setting up a man-in-the-middle attack in a hotspot at the airport.
So, from time to time, I might run some custom tools of mine to check the integrity of my system or start Wireshark
to see what my traffic looks like. In other words, Im not very satisfied with the existing commercial solutions, because I know how easy it is to create malware to bypass them all.
When/how was the first time you heard about rootkits?
As I said before, I was first focusing on exploit development and then started thinking about what to do after we got "the shell." Of course, I was not the first one thinking about this, so I quickly came across various Linux-based rootkits, like Knark or Adore. I think that was at the end of the 1990s. Then I started thinking about how to generically detect those kinds of malware.