LAS VEGAS—When it comes to rootkits, nothings undetectable, and much less so a virtualized rootkit. Or is it?
At Black Hat here Aug. 1, a group of researchers including Symantecs Peter Ferrie, Nate Lawson and Matasanos Thomas Ptacek launched what they hoped would be a full-body tackle of Joanna Rutkowskas “100% Undetectable” Blue Pill virtualized rootkit, which Rutkowska launched a year ago at the conference.
In their presentation, titled “Dont Tell Joanna, The Virtualized Rootkit Is Dead,” the researchers detailed how to use counters that are external to a system to detect a virtualized rootkits pull on CPU resources or other telltale footprints. Its got to be an external counter, given that a virtualized rootkit sits at the hypervisor level between the hardware and operating system and controls direct measurements—i.e., those internal to a system.
The only problem is, by days end, Rutkowska revealed that the methods simply dont work as advertised. Rutkowska has tested, if not the exact code for her challengers detection technologies (due to be released any time now), then at least “the exact methods [as] *presented and *described* by my challengers,” she said in an e-mail exchange with eWEEK. The methods as described by her challengers include, for example, a method called TLB profiling. And, given that the Ptacek/Lawson/Ferrie team didnt mention anything about the problem with the methods she went on to describe in her talk, shes “pretty sure they didnt know about them,” she said.
“One needs to use special effort (which means additional complexity) to make sure to, e.g., fill the whole TLB L2 buffer,” Rutkowska said in her blog, describing just one shortcoming she found (and fixed, incidentally) in the virtualization detection methods.
Even more to the point, Rutkowska said, her challengers ability to detect virtualization is an entirely separate thing from detecting malware that uses virtualization, as does Blue Pill.
“As hardware virtualization technology gets more and more widespread, many machines will be running with virtualization mode enabled, no matter whether Blue Pilled or not,” she said. “In that case … its actually expected that virtualization is being used for some legitimate purposes. In that case using a Blue Pill detector, that in fact is just a generic virtualization detector, is completely pointless.”
In her presentation, “IsGameOver(), anyone?” Rutkowska refuted Matasanos, Symantecs ability to detect Blue Pill and described ways to run away when somebodys trying to track the rootkit using timing determination.
First, Rutkowska outlined the Blue Chicken defense. This technique involves running away when timing determination occurs. Because the hypervisor sits in the middle, emulating a system, it has the ability to determine if somebodys trying to do a timing attack on the rootkit. In that case, she removes the hypervisor.
Of course, she said, even though she can determine when a timing attack against the rootkit is happening, its not always possible to tell when the timing attack has stopped. But she can always wait it out. After all, timing attacks have one fatal flaw: They suck up CPU like mad—up to 50 percent of CPU time. That means that while you can sometimes run detection, you sure cant run it all the time. Its just too processor-intensive.
In her rebuttal, Rutkowska also detailed her work to implement the Blue Pill detection systems outlined by Matasano.
Danny Allan, director of security research at Web application security company Watchfire, in Waltham, Mass., said in an interview with eWEEK after Rutkowskas talk that she had made it clear that the people who claimed to have discovered Blue Pill hadnt actually tested their own methods. She tried them. They didnt work.
How does a system get Blue Pilled? As Rutkowska told eWEEK last year, the idea is simple: “Your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly [i.e., without restarting the system] and there is no performance penalty.” Blue Pill doesnt rely on any bug pertaining to the underlying operating system. The original working prototype was implemented for Vista x64, but she saw “no reasons why it should not be possible to port it to other operating systems, like Linux or BSD, which can be run on x64 platform.”
Now, a year later, Rutkowska described how Blue Pill can get onto systems via either vulnerable drivers—and there is no shortage of those—or maliciously crafted drivers.
In fact, she tested her assumption that it would be easy to register a malicious driver. It took her 2 hours and $250. If she were a black hat up to no good, she said, shed post the compromised driver on her site. It wouldnt have to be a popular download, she said—as long as its digitally signed, once the code lands on a machine, Vista will automatically install it.
Rebuilding Blue Pill
Rutkowska has rebuilt Blue Pill from the ground up since she unveiled it one year ago. One new aspect of the Blue Pill update is the ability to nest simulated environments. This addresses one obvious detection technique: To ferret out a virtualized rootkit, create a simulated environment that the rootkit then has to simulate—a simulation within a simulation, in other words. The problem with creating nesting simulations is that they crash the system.
“If I have been Blue Pilled, I would try to create a simulated environment myself, not knowing Im already in a simulated environment,” Allan said. “It wouldnt work, and youd crash, and that tells you youve been Blue Pilled.”
To get around that, Rutkowska has boosted Blue Pills scalability with regards to nesting simulations and has at this point jacked its capability up to 20 nested simulations.
Blue Pills tough to beat. Its tough to detect. And one problem with the requirements for detecting a virtualized rootkit, Allan said, is you need a detection strategy thats very sophisticated and very environment-specific. Unfortunately, processors arent static. They implement things differently and change over time. When that inevitably happens, out goes your environmentally specific virtualized rootkit detection.
This is all futuristic at this point. Blue Pill is an attack thats ahead of its time. No real-world attacks have been detected. However, once Vista is more widely adopted, Blue Pill will have its day in the sun. Already, Allan said hes seen the rootkit technology being discussed on underground malware authors sites.
Thats changing, though, Allan said, with virtualization headed toward ubiquity. “I think well see virtualization required in the future; used all the time. Its [already] used in legitimate software, as a feature to do something or other. Its used more and more in hardware and in different components.”
There are lots of benefits to that, Allan said. Virtualization allows you to run processes in a controlled, sandboxed environment—something you might do as a security feature.
Still, Blue Pill is an esoteric bon-bon; its an extremely sophisticated attack vector.
But will it become attractive in the future? Yes, given its benefits. Its similar to buffer overflows in the network world, Allan said. Overflows are difficult to find, but the outcome is very powerful. Similarly, Blue Pill is sophisticated and tough to use, but the outcome of its use is attractive, given that it allows compromise of a machine without the users knowledge.
Should Rutkowska ever have cracked open this Pandoras box, given that theres nothing to be done to protect systems from Blue Pill at this point?
Yes. As Allan said, if the researchers dont release the details, and if they dont get together and talk about them in venues like Black Hat, those with malice in mind will find them first.
Indeed, Blue Pill is a good example of very good disclosure, Allan said. Rutkowska has delivered the details of an entirely futuristic rootkit, arguably far ahead of the time when it will be relevant—particularly when Vista sees widespread adoption and exploitation makes fiscal sense. The far-sighted disclosure she pursues allows researchers to build defenses before seeing exploits in the wild.
Editors Note: This story was updated to clarify the nature of the virtualization detection methodologies tested by Rutkowska as opposed to described by Ptacek/Lawson/Ferrie, and to correct the omission of Peter Ferrie from the group of researchers challenging the notion of 100% undetectable virtualized rootkits.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.