Rutkowska Gets Last Laugh in Rootkit Cat-and-Mouse Game

By Lisa Vaas  |  Posted 2007-08-04 Print this article Print

Updated: The Blue Pill creator shrugs off her challengers' claims of being able to detect her virtualized rootkit.

LAS VEGAS—When it comes to rootkits, nothings undetectable, and much less so a virtualized rootkit. Or is it? At Black Hat here Aug. 1, a group of researchers including Symantecs Peter Ferrie, Nate Lawson and Matasanos Thomas Ptacek launched what they hoped would be a full-body tackle of Joanna Rutkowskas "100% Undetectable" Blue Pill virtualized rootkit, which Rutkowska launched a year ago at the conference.
In their presentation, titled "Dont Tell Joanna, The Virtualized Rootkit Is Dead," the researchers detailed how to use counters that are external to a system to detect a virtualized rootkits pull on CPU resources or other telltale footprints. Its got to be an external counter, given that a virtualized rootkit sits at the hypervisor level between the hardware and operating system and controls direct measurements—i.e., those internal to a system.
The only problem is, by days end, Rutkowska revealed that the methods simply dont work as advertised. Rutkowska has tested, if not the exact code for her challengers detection technologies (due to be released any time now), then at least "the exact methods [as] *presented and *described* by my challengers," she said in an e-mail exchange with eWEEK. The methods as described by her challengers include, for example, a method called TLB profiling. And, given that the Ptacek/Lawson/Ferrie team didnt mention anything about the problem with the methods she went on to describe in her talk, shes "pretty sure they didnt know about them," she said. "One needs to use special effort (which means additional complexity) to make sure to, e.g., fill the whole TLB L2 buffer," Rutkowska said in her blog, describing just one shortcoming she found (and fixed, incidentally) in the virtualization detection methods. Even more to the point, Rutkowska said, her challengers ability to detect virtualization is an entirely separate thing from detecting malware that uses virtualization, as does Blue Pill. "As hardware virtualization technology gets more and more widespread, many machines will be running with virtualization mode enabled, no matter whether Blue Pilled or not," she said. "In that case … its actually expected that virtualization is being used for some legitimate purposes. In that case using a Blue Pill detector, that in fact is just a generic virtualization detector, is completely pointless." In her presentation, "IsGameOver(), anyone?" Rutkowska refuted Matasanos, Symantecs ability to detect Blue Pill and described ways to run away when somebodys trying to track the rootkit using timing determination. First, Rutkowska outlined the Blue Chicken defense. This technique involves running away when timing determination occurs. Because the hypervisor sits in the middle, emulating a system, it has the ability to determine if somebodys trying to do a timing attack on the rootkit. In that case, she removes the hypervisor. Of course, she said, even though she can determine when a timing attack against the rootkit is happening, its not always possible to tell when the timing attack has stopped. But she can always wait it out. After all, timing attacks have one fatal flaw: They suck up CPU like mad—up to 50 percent of CPU time. That means that while you can sometimes run detection, you sure cant run it all the time. Its just too processor-intensive. In her rebuttal, Rutkowska also detailed her work to implement the Blue Pill detection systems outlined by Matasano. Danny Allan, director of security research at Web application security company Watchfire, in Waltham, Mass., said in an interview with eWEEK after Rutkowskas talk that she had made it clear that the people who claimed to have discovered Blue Pill hadnt actually tested their own methods. She tried them. They didnt work. How does a system get Blue Pilled? As Rutkowska told eWEEK last year, the idea is simple: "Your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly [i.e., without restarting the system] and there is no performance penalty." Blue Pill doesnt rely on any bug pertaining to the underlying operating system. The original working prototype was implemented for Vista x64, but she saw "no reasons why it should not be possible to port it to other operating systems, like Linux or BSD, which can be run on x64 platform." Click here to read more about researchers claims that the Blue Pill is detectable. Now, a year later, Rutkowska described how Blue Pill can get onto systems via either vulnerable drivers—and there is no shortage of those—or maliciously crafted drivers. In fact, she tested her assumption that it would be easy to register a malicious driver. It took her 2 hours and $250. If she were a black hat up to no good, she said, shed post the compromised driver on her site. It wouldnt have to be a popular download, she said—as long as its digitally signed, once the code lands on a machine, Vista will automatically install it. Next Page: Rebuilding Blue Pill.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel