Rutkowska Gets Last Laugh in Rootkit Cat-and-Mouse Game

Updated: The Blue Pill creator shrugs off her challengers' claims of being able to detect her virtualized rootkit.

LAS VEGAS—When it comes to rootkits, nothings undetectable, and much less so a virtualized rootkit. Or is it?

At Black Hat here Aug. 1, a group of researchers including Symantecs Peter Ferrie, Nate Lawson and Matasanos Thomas Ptacek launched what they hoped would be a full-body tackle of Joanna Rutkowskas "100% Undetectable" Blue Pill virtualized rootkit, which Rutkowska launched a year ago at the conference.

In their presentation, titled "Dont Tell Joanna, The Virtualized Rootkit Is Dead," the researchers detailed how to use counters that are external to a system to detect a virtualized rootkits pull on CPU resources or other telltale footprints. Its got to be an external counter, given that a virtualized rootkit sits at the hypervisor level between the hardware and operating system and controls direct measurements—i.e., those internal to a system.

The only problem is, by days end, Rutkowska revealed that the methods simply dont work as advertised. Rutkowska has tested, if not the exact code for her challengers detection technologies (due to be released any time now), then at least "the exact methods [as] *presented and *described* by my challengers," she said in an e-mail exchange with eWEEK. The methods as described by her challengers include, for example, a method called TLB profiling. And, given that the Ptacek/Lawson/Ferrie team didnt mention anything about the problem with the methods she went on to describe in her talk, shes "pretty sure they didnt know about them," she said.

"One needs to use special effort (which means additional complexity) to make sure to, e.g., fill the whole TLB L2 buffer," Rutkowska said in her blog, describing just one shortcoming she found (and fixed, incidentally) in the virtualization detection methods.

Even more to the point, Rutkowska said, her challengers ability to detect virtualization is an entirely separate thing from detecting malware that uses virtualization, as does Blue Pill.

"As hardware virtualization technology gets more and more widespread, many machines will be running with virtualization mode enabled, no matter whether Blue Pilled or not," she said. "In that case … its actually expected that virtualization is being used for some legitimate purposes. In that case using a Blue Pill detector, that in fact is just a generic virtualization detector, is completely pointless."

In her presentation, "IsGameOver(), anyone?" Rutkowska refuted Matasanos, Symantecs ability to detect Blue Pill and described ways to run away when somebodys trying to track the rootkit using timing determination.

First, Rutkowska outlined the Blue Chicken defense. This technique involves running away when timing determination occurs. Because the hypervisor sits in the middle, emulating a system, it has the ability to determine if somebodys trying to do a timing attack on the rootkit. In that case, she removes the hypervisor.

Of course, she said, even though she can determine when a timing attack against the rootkit is happening, its not always possible to tell when the timing attack has stopped. But she can always wait it out. After all, timing attacks have one fatal flaw: They suck up CPU like mad—up to 50 percent of CPU time. That means that while you can sometimes run detection, you sure cant run it all the time. Its just too processor-intensive.

In her rebuttal, Rutkowska also detailed her work to implement the Blue Pill detection systems outlined by Matasano.

Danny Allan, director of security research at Web application security company Watchfire, in Waltham, Mass., said in an interview with eWEEK after Rutkowskas talk that she had made it clear that the people who claimed to have discovered Blue Pill hadnt actually tested their own methods. She tried them. They didnt work.

How does a system get Blue Pilled? As Rutkowska told eWEEK last year, the idea is simple: "Your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly [i.e., without restarting the system] and there is no performance penalty." Blue Pill doesnt rely on any bug pertaining to the underlying operating system. The original working prototype was implemented for Vista x64, but she saw "no reasons why it should not be possible to port it to other operating systems, like Linux or BSD, which can be run on x64 platform."

/zimages/4/28571.gifClick here to read more about researchers claims that the Blue Pill is detectable.

Now, a year later, Rutkowska described how Blue Pill can get onto systems via either vulnerable drivers—and there is no shortage of those—or maliciously crafted drivers.

In fact, she tested her assumption that it would be easy to register a malicious driver. It took her 2 hours and $250. If she were a black hat up to no good, she said, shed post the compromised driver on her site. It wouldnt have to be a popular download, she said—as long as its digitally signed, once the code lands on a machine, Vista will automatically install it.

Next Page: Rebuilding Blue Pill.