Rebuilding Blue Pill

By Lisa Vaas  |  Posted 2007-08-04 Print this article Print

Rutkowska has rebuilt Blue Pill from the ground up since she unveiled it one year ago. One new aspect of the Blue Pill update is the ability to nest simulated environments. This addresses one obvious detection technique: To ferret out a virtualized rootkit, create a simulated environment that the rootkit then has to simulate—a simulation within a simulation, in other words. The problem with creating nesting simulations is that they crash the system. "If I have been Blue Pilled, I would try to create a simulated environment myself, not knowing Im already in a simulated environment," Allan said. "It wouldnt work, and youd crash, and that tells you youve been Blue Pilled."
To get around that, Rutkowska has boosted Blue Pills scalability with regards to nesting simulations and has at this point jacked its capability up to 20 nested simulations.
Blue Pills tough to beat. Its tough to detect. And one problem with the requirements for detecting a virtualized rootkit, Allan said, is you need a detection strategy thats very sophisticated and very environment-specific. Unfortunately, processors arent static. They implement things differently and change over time. When that inevitably happens, out goes your environmentally specific virtualized rootkit detection. This is all futuristic at this point. Blue Pill is an attack thats ahead of its time. No real-world attacks have been detected. However, once Vista is more widely adopted, Blue Pill will have its day in the sun. Already, Allan said hes seen the rootkit technology being discussed on underground malware authors sites. So yes, Blue Pill is almost certainly on the horizon. And its not something that will be easy to ignore even if you think you never use virtualization, either. Last year, Allan said, he left Rutkowskas Blue Pill demonstration feeling pretty comfortable. "Watchfire works in [cross-site scripting]," he said. "I used to say, Turn off JavaScript—dont enable it in the browser. Last year my response was, This is easy, just block the ability to do virtualization." Thats changing, though, Allan said, with virtualization headed toward ubiquity. "I think well see virtualization required in the future; used all the time. Its [already] used in legitimate software, as a feature to do something or other. Its used more and more in hardware and in different components." There are lots of benefits to that, Allan said. Virtualization allows you to run processes in a controlled, sandboxed environment—something you might do as a security feature. Still, Blue Pill is an esoteric bon-bon; its an extremely sophisticated attack vector. But will it become attractive in the future? Yes, given its benefits. Its similar to buffer overflows in the network world, Allan said. Overflows are difficult to find, but the outcome is very powerful. Similarly, Blue Pill is sophisticated and tough to use, but the outcome of its use is attractive, given that it allows compromise of a machine without the users knowledge. Should Rutkowska ever have cracked open this Pandoras box, given that theres nothing to be done to protect systems from Blue Pill at this point? Yes. As Allan said, if the researchers dont release the details, and if they dont get together and talk about them in venues like Black Hat, those with malice in mind will find them first. Indeed, Blue Pill is a good example of very good disclosure, Allan said. Rutkowska has delivered the details of an entirely futuristic rootkit, arguably far ahead of the time when it will be relevant—particularly when Vista sees widespread adoption and exploitation makes fiscal sense. The far-sighted disclosure she pursues allows researchers to build defenses before seeing exploits in the wild. Editors Note: This story was updated to clarify the nature of the virtualization detection methodologies tested by Rutkowska as opposed to described by Ptacek/Lawson/Ferrie, and to correct the omission of Peter Ferrie from the group of researchers challenging the notion of 100% undetectable virtualized rootkits. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel