Researchers: Blue Pill Rootkit Detectable

A group of researchers has coded a detector they say can ferret out a supposedly "100 percent undetectable" hypervisor rootkit.

Joanna Rutkowska, the security researcher who one year ago built a working prototype, code-named Blue Pill, of a rootkit capable of creating malware that remains "100 percent undetectable," has tacitly conceded to a group of security researchers that the detector code they cooked up in the past month will in fact ferret out Blue Pill—at this point in its development, at any rate.

Tom Ptacek, security researcher and founder of New York-based Matasano Security, posted a note on June 27 saying that he, along with his fellow security researchers who had worked on hypervisor rootkit detection, were inviting Rutkowska to a challenge at Black Hat Briefings in Las Vegas sometime on Aug. 1 or 2.

"Joanna, we respectfully request terms under which youd agree to an undetectable rootkit detection challenge. Well concede almost anything reasonable; we want the same access to the (possibly-)infected machine that any anti-virus software would get," Ptacek wrote.

Rutkowska posted a message saying she was ready for the challenge. But she stipulated that the challenging researchers—Ptacek, Nate Lawson of Root Labs, Symantec researcher Peter Ferrie and Matasanos Dino Dai Zovi—fund two people, full-time for six months at $200 per hour, to develop the rootkit to a state of readiness.

"She says shell have completed it enough to compete in conference by then," Lawson said to eWEEK in an interview. "For $416,000 she wants us to pay her to write a rootkit which were confident well be able to detect. We spent one one-person month coding the detector, and it will take her 16 times longer than it took us to write the detector, and we still believe well win."

"Nobody said that writing rootkits is an easy process," Rutkowska retorted in an e-mail exchange with eWEEK. "It is not, it requires time to make a rootkit something more than a prototype."

Ptacek said Rutkowska, who has lately founded Invisible Things Lab, based in Warsaw, Poland, by asking for more time, money and resources to make the rootkit undetectable has conceded that it can indeed be detected.

"In her judgment, we are likely to be able to detect Blue Pill at Black Hat. Wed go a step further: We can detect arbitrary hypervisor rootkits, not just Blue Pill. But on the topic of Joannas Blue Pill work, it appears that Matasano, Root Labs, Invisible Things Lab and Symantec agree. Its detectable," he said.

Rutkowska said in her posting that what she has right now is a prototype that would require $384,000 to turn into something "hard to detect."

"Overtly implying that what she has now ISNT hard to detect," Ptacek said in an e-mail exchange. "It has cost us a month of spare time to get to the point where we can detect what Joanna has now. If it costs us a month to detect the $400,000 commercial-grade Blue Pill, thats a 16-to-1 advantage we apparently hold. The new name of this story is how to lose an arms race."

"Ptacek is free to derive his own conclusions, but that will always be that—his interpretation of what I said," Rutkowska said in her e-mail exchange. "I really do not see how this debate leads anywhere. We will present our research and thoughts on the feasibility of detecting virtualization-based malware during our talk at Black Hat."

Besides, Rutkowska pointed out, raising the money required to "weaponize" Blue Pill shouldnt be much of a challenge, given the vendors that have hooked onto the virtualization market.

"If [Ptacek] indeed feels hes so right, he should not have much problems convincing some big companies to sponsor the contest—I can name at least several big companies that would be very interested in proving the virtualization-based malware is not a threat," she said.

Blue Pill was based on Rutkowskas work with Advanced Micro Devices SVM/Pacifica virtualization technology.

Working independently but in parallel, Matasanos Dai Zovi also presented a hypervisor rootkit, "Vitriol," for Intels VT-x extensions at Black Hat in 2006, at the same conference at which Rutkowska presented Blue Pill.

Lawson described the "undetectable" rootkits fatal flaw this way:

A rootkit has to deal with a metric called cross-section, which is the amount of a given system that a rootkit has to emulate or hide from a detector technology so that the rootkit can remain invisible. For example, a rootkit that was just a single byte modified in an obscure part of a system is much harder to detect than a complex program with millions of lines of code that hooks into the system all over the place.

The simplest rootkit will install script, or patch a Web server, or a kernel, or BIOS or firmware—all different layers at which rootkits can be implemented.

The simpler the rootkit, the smaller the part of the system it will affect, and the smaller part of the system that it will then have to hide from, Lawson said.

The hypervisor level is the layer between the operating system and the hardware itself. Both Vitriol and Blue Pill installed at the hypervisor level. To stay invisible at the hypervisor level, a rootkit has to emulate all the underlying hardware while it goes about whatever mischief is its main purpose.

When it executes, the rootkit has to adjust timer values measured by the operating system, subtracting out the cycles it used to do its own work. Thats just one small area of the work a hypervisor rootkit has to do to hide itself, Lawson said.

What makes Blue Pill even more unwieldy is that Rutkowska chose X86 hardware, which has a "huge" cross-section, Lawson said. Imagine how many different versions of AMD hardware, chip sets, PC manufacturers and other variables a rootkit has to contend with, and it begins to become clear that a rootkit author has similar problems as Microsoft does in dealing with hardware drivers.

Unfortunately for Blue Pill, it has to do more than function as a driver does; it has to function identically to the hardware drivers its trying to emulate. Again, "[With] a large variety of hardware to emulate, it becomes [unwieldy]," Lawson said.

"The advantage is always fundamentally in the detectors hands. The system is already rigged from the beginning, because [Rutkowska] chose the hypervisor level for implementing her rootkit. She chose poorly because she chose a level so complex," he said.

The researchers work has to date shown that hypervisor rootkits, as well as rootkits that target the equally complex layer of BIOS, are detectable. The group doesnt plan to turn the detector code they cooked up into a product, given that the only two rootkits known to work at these levels are proofs of concept, they said.

Instead, Ferrie, Ptacek and Lawson plan to get up on stage at Black Hat for free, Ptacek said. "And, for free, were going to explain what we do to detect hypervisor malware. And, for free, were going to show the code we use to do it."

None of this is meant to disparage Rutkowskas groundbreaking work, Ptacek emphasized. "I hope that Im not coming across as disrespectful of Joanna. Shes smarter than me, but wrong," he said.

If Rutkowska in fact manages to perfect her Blue Pill prototype before Black Hat, Ptacek said, the challenge is on. "Wed love it if shed take us up on our challenge. If it takes longer, were happy to do it some other time," he said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.