Rutkowska Gets Last Laugh in Rootkit Cat-and-Mouse Game - ' Rebuilding Blue Pill ' (
Page 2 of 2 )
Rutkowska has rebuilt Blue Pill from the ground up since she unveiled it one year ago. One new aspect of the Blue Pill update is the ability to nest simulated environments. This addresses one obvious detection technique: To ferret out a virtualized rootkit, create a simulated environment that the rootkit then has to simulate—a simulation within a simulation, in other words. The problem with creating nesting simulations is that they crash the system.
"If I have been Blue Pilled, I would try to create a simulated environment myself, not knowing Im already in a simulated environment," Allan said. "It wouldnt work, and youd crash, and that tells you youve been Blue Pilled."
To get around that, Rutkowska has boosted Blue Pills scalability with regards to nesting simulations and has at this point jacked its capability up to 20 nested simulations.
Blue Pills tough to beat. Its tough to detect. And one problem with the requirements for detecting a virtualized rootkit, Allan said, is you need a detection strategy thats very sophisticated and very environment-specific. Unfortunately, processors arent static. They implement things differently and change over time. When that inevitably happens, out goes your environmentally specific virtualized rootkit detection.
This is all futuristic at this point. Blue Pill is an attack thats ahead of its time. No real-world attacks have been detected. However, once Vista is more widely adopted, Blue Pill will have its day in the sun. Already, Allan said hes seen the rootkit technology being discussed on underground malware authors sites.
So yes, Blue Pill is almost certainly on the horizon. And its not something that will be easy to ignore even if you think you never use virtualization, either. Last year, Allan said, he left Rutkowskas Blue Pill demonstration feeling pretty comfortable. "Watchfire works in [cross-site scripting]," he said. "I used to say, Turn off JavaScript—dont enable it in the browser. Last year my response was, This is easy, just block the ability to do virtualization."
Thats changing, though, Allan said, with virtualization headed toward ubiquity. "I think well see virtualization required in the future; used all the time. Its [already] used in legitimate software, as a feature to do something or other. Its used more and more in hardware and in different components."
There are lots of benefits to that, Allan said. Virtualization allows you to run processes in a controlled, sandboxed environment—something you might do as a security feature.
Still, Blue Pill is an esoteric bon-bon; its an extremely sophisticated attack vector.
But will it become attractive in the future? Yes, given its benefits. Its similar to buffer overflows in the network world, Allan said. Overflows are difficult to find, but the outcome is very powerful. Similarly, Blue Pill is sophisticated and tough to use, but the outcome of its use is attractive, given that it allows compromise of a machine without the users knowledge.
Should Rutkowska ever have cracked open this Pandoras box, given that theres nothing to be done to protect systems from Blue Pill at this point?
Yes. As Allan said, if the researchers dont release the details, and if they dont get together and talk about them in venues like Black Hat, those with malice in mind will find them first.
Indeed, Blue Pill is a good example of very good disclosure, Allan said. Rutkowska has delivered the details of an entirely futuristic rootkit, arguably far ahead of the time when it will be relevant—particularly when Vista sees widespread adoption and exploitation makes fiscal sense. The far-sighted disclosure she pursues allows researchers to build defenses before seeing exploits in the wild.
Editors Note: This story was updated to clarify the nature of the virtualization detection methodologies tested by Rutkowska as opposed to described by Ptacek/Lawson/Ferrie, and to correct the omission of Peter Ferrie from the group of researchers challenging the notion of 100% undetectable virtualized rootkits.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
