Earlier this year, stealth malware researcher Joanna Rutkowska created a stir at the Black Hat Briefings when she demonstrated a way to infect Windows Vista with a rootkit and introduced Blue Pill, a new concept that uses AMDs SVM/Pacifica virtualization technology to create “100 percent undetectable malware.”
In this interview with eWEEK senior editor Ryan Naraine, Rutkowska talks about her interest in computer security, the reality of stealth malware threats, the risks associated with hardware virtualization and why the anti-virus industry comes up short.
For the benefit of readers who may not have heard about you, can you introduce yourself?
Im a security researcher focusing on stealth technology and system compromise detection. This includes topics like kernel rootkits, stealth malware and covert network communications. I currently work for COSEINC, a Singapore-based IT security company. I live in Warsaw, Poland.
At what age did you get your first computer? Can you describe it?
I think I was 11 when the first computer appeared at my home. It was the PC AT-286, 2MB of RAM and 40MB of hard disk, and it ran with blazing speed of about 16 MHz, if I remember correctly. Actually, that was a high-end machine in those days (beginning of 1990s). However, because of the poor graphics capabilities (Hercules card), I couldnt run most of the games on that computer, so, very quickly, I started my adventures with programming, first with BASIC.
What prompted your interest in computer security?
I have always been interested in how things work. So, when I started programming, I naturally became interested in how the operating system worked. I started learning x86 assembler (on MS-DOS back in those days) and got involved in virus research. Then, for a few years, I broke off from security, focusing on stuff like math and Artificial Intelligence. Then I became interested in networking, Linux and system programming and that eventually brought me back into security, this time focusing on exploit development for Linux x86 and then Win32.
After some time, I gravitated toward the what-to-do-after-successful-exploitation field (kernel backdoors, rootkits, covert channels, etc.) and how to defend against it. But I must say that I have always considered exploit-writing as a very sophisticated art, and I have always had lots of respect for people who could create reliable, “offset-independent” exploits. Theyre very aesthetically pleasing.
On your primary machine, what OS is running? What kinds of security software are you using?
On my primary machine, I run Windows XP x64. I dont use any anti-virus products to secure any of my machines. The reason—I just dont like their approach, which is to block only known malware. Needless to say, I also dont believe in all those AI-based Host Intrusion Detection Systems to stop the unknown attack vectors. So, I just try to be careful when surfing, use NoScript, never open suspicious e-mails or PowerPoint/PDF documents…
Of course, Im still aware that its not enough, as somebody can embed a very reliable and “silent” zero-day exploit for my .TXT editor in some README file. Or that they can find a bug in my Wi-Fi driver. Or an attacker can inject an exploit for my browser after setting up a man-in-the-middle attack in a hotspot at the airport.
So, from time to time, I might run some custom tools of mine to check the integrity of my system or start Wireshark to see what my traffic looks like. In other words, Im not very satisfied with the existing commercial solutions, because I know how easy it is to create malware to bypass them all.
When/how was the first time you heard about rootkits?
As I said before, I was first focusing on exploit development and then started thinking about what to do after we got “the shell.” Of course, I was not the first one thinking about this, so I quickly came across various Linux-based rootkits, like Knark or Adore. I think that was at the end of the 1990s. Then I started thinking about how to generically detect those kinds of malware.
What is the value of creating an offensive rootkit? Doesnt make it easier for the bad guys?
Its important to show that current anti-virus and specifically anti-rootkit solutions on the market are far from effective in preventing or detecting system compromises. In other words—to stimulate people to create better defensive solutions.
I dont believe that talking about new offensive technology should be considered as helping the bad guys. After all, it would be very strange if the particular attack was discovered by only one person/group on the planet. I certainly do not consider myself to be that exceptional.
What is your policy on disclosure? Do you publish details on flaws or release exploit code? Why/why not?
As Im currently a full-time employee of COSEINC; I follow my companys policy on disclosure. In general, COSEINC is primarily interested in doing research which could be then used in protecting our customers. Of course, we also try to have some impact on improving security in general, so we try to share some of our research with the rest of the community by giving presentations at various security conferences.
As a rule, we do not publish exploit nor malware code, unless, of course, we decided that its absolutely necessary to do so to force a vendor to fix a particular problem.
For example, we believe that there is no advantage in having the Blue Pill source code available to the public, as this, in no way, could be useful in creating an anti-Blue Pill solution (in contrast to what some people may think).
Youve taken a keen interest recently in virtual machine-based rootkits. Is this a legitimate attack vector? Why?
Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. Its my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.
To demonstrate how this virtualization technology could be abused today, I created Blue Pill—a little program which creates a hardware virtual machine and then moves the running native operating system (the system in which Blue Pill was started) into that virtual machine, while itself becoming a so-called hypervisor. This all happens on the fly (the whole operation takes much less then a millisecond) and the native operating system doesnt even realize that it has just been moved into a virtual machine.
Blue Pill and other malware of this kind could be prevented if the underlying operating system was aware of the virtualization technology and implemented its own hypervisor. Needles to say, implementing such a hypervisor is not a trivial task and, although its expected that future systems will be doing that, I think we are two to three years away from seeing that.
I saw a rootkit expert (Greg Hoglund) say that a VM rootkit is nothing more than a lab toy and not a realistic threat. Is he wrong?
I thought Greg was referring to software virtualization-based rootkits, like SubVirt, which was created by people from Microsoft Research and the University of Michigan.
This is different from hardware virtualization-based rootkits like Blue Pill or Vitriol, which was created by Dino Dai Zovi from Matasano Security.
Frankly, I see no reason why Blue Pill-based malware couldnt be used in the wild to conduct real life attacks. Of course I dont expect this kind of malware to be used in worms, but rather in sophisticated targeted attacks. Furthermore, I think that we will have very serious problems with detecting it (provided its implemented using strong covert channels). Im betting that lots of security “experts” will come to the conclusion that such malware “does not exist in the wild” when in fact theyll be very much in use covertly.
What was the response of Microsoft to your pagefile attack against Windows Vista? Did anyone from Redmond contact you? Did you talk to them before going public?
We decided to disclose the details of the attack for the first time at the SyScan conference in Singapore (organized by COSEINC) at the end of July. We felt that there was no need to contact the software vendor (who is not our client) before that, as the problem applied to beta software and also the attack itself required that the attacker gained administrative rights already.
During my presentation about the (Vista) pagefile attack, I discussed three possible solutions. And I actually pointed out that one of those solutions—blocking usermode applications from accessing raw disk sectors—is actually not a good move, and I explained why I thought so. I only gave that as a possible solution in the interest of completeness.
To my surprise, in the recent Vista RC2 released a few weeks ago, I noticed that Microsoft actually implemented this very solution that I didnt recommend, which, in my opinion, only solves the problem temporarily.
Have you had any discussions with AMD about Blue Pill? How would you recommend securing a system from that type of attack?
AMD has never contacted me to discuss Blue Pill, and, as far as I know, they have also never contacted anyone from COSEINC.
Regarding prevention, one obvious way is to be able to disable virtualization, in BIOS for example, but unfortunately in the hardware we have today, there is no such option. I heard, though, that the possibility exists on Intel-based platforms.
Another approach, as I mentioned above, is to have a hypervisor built into the operating system. Such a hypervisor would be able to prevent installation of another one (e.g. Blue Pill).
However, there are several problems with implementing this. Would it be possible for a third-party application like VMWare to make use of the hardware virtualization for its own purposes? If yes, then what would be the policy to distinguish between a legal application wanting to install its hypervisor versus a malicious program, like Blue Pill? If not, would that mean that all future hardware-based VMMs, like VMWare, would have to ship with their own custom operating system and that we will not be able to use them as an application?
Also, we would have to be careful when protecting such OS-provided hypervisors, and this is impossible without several technologies, like TPM or DMA protection (DEV on AMD).
So, it seems to me that to implement a foolproof protection against hardware virtualization-based malware, we need at least two to three years.
Scanners and Tools
Have you tested the rootkit scanners/security tools out there today? Is there one you would recommend as reliable?
As I said earlier, Im not very impressed with existing anti-virus solutions, especially for the Windows platform. They all concentrate on finding “the bad” instead of verifying that system is in a “good” shape.
So, we can see very sophisticated technology employed by anti-virus products to handle various .exe-packers and decide whether the .exe file in question is “good” or “bad.”
Similarly, we see that most of the rootkit scanners implement various hacks to detect hidden objects, like hidden processes, forgetting that its possible to create a powerful stealth malware without even creating a process. Theres no need to hide anything. I actually demonstrated a “stealth-by-design” malware almost a year ago.
The solution that I would love to have would be based on integrity checking of all the system components, starting from filesystem (digitally signed files), through verifying that all code sections in memory havent been modified (something I partly implemented in my SVV scanner) and finally checking all the possible “dynamic hooking places” in kernel data sections.
The latter is actually impossible to achieve 100 percent as nobody knows all those dynamic hooking places, but we could at least start building a list of them. I believe the number of the hooking places is a finite number for every given operating system.
In other words, there is only a finite number of “ways” to write Type II malware of any specific kind (e.g. a keystroke logger).
Type II malware can be thought of as a malware which doesnt modify any code sections in memory, just data sections (thus its so difficult to detect). Needless to say, Type II malware does exist in the wild.
Unfortunately, even if we create an integrity-based scanner and made it 100 percent complete and we identify all those dynamic hooking places used by Type II malware, there would still be malware which we wont be able to detect.
This is something I call a Type III malware, and Blue Pill is an example of it. The whole point about Blue Pill is that it does not introduce even a single byte modification into kernel, or other processes memory. So, no matter how sophisticated (complete) our integrity checker is, we would never detect it. We can only count on detecting some side effects, like network communication or trying to detect the presence of a hypervisor using a timing analysis.
Both of those things could be effectively prevented in practice, by using strong covert channels and other tricks. But still, its better in my opinion to have a good integrity-based scanner, even if its not capable of detecting Type III malware, rather than having a classic anti-virus product which only tries to find the known “bad things.”
Why should we be worried about stealth malware? Do you see this as a big trend going forward?
Stealth malware is a way to silently subvert the operating system, so that it cant be trusted anymore. And the point here is that, in an ideal situation (from a malware authors point of view), nobody is able to tell whether the system has been compromised or not.
Personally, I think its mostly irrelevant to discuss whether this going to be a big trend or not. Its not about whether 100 companies or 100,000 companies are going to be infected next year using targeted, sophisticated attacks using “Stealth by Design” malware (i.e. one which does not create extra system objects) of Type II or Type III. Its about whether we would be aware of those infections at all. We already know its possible to create such a malware, so we need to do something about it.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.