Blue Pill (malware)

Blue Pill is the codename for a controversial rootkit based on virtualization technology that targets Microsoft's Windows Vista operating system. Blue Pill uses AMD Pacifica virtualization technology, but reportedly could be ported to use Intel Vanderpool. It was designed by Joanna Rutkowska and originally demonstrated at the Black Hat Briefings on August 3, 2006.

Overview

According to the author, by using Pacifica, Blue Pill would be able to trap a running instance of the operating system into a virtual machine, and would then act as a hypervisor, with complete control of the computer. Joanna Rutkowska claims that, since any detection program could be fooled by the hypervisor, such a system would be "100% undetectable". Since virtualization is supposed to be indetectable to the host, the only way Blue Pill could be detected is if the virtualization itself is detectable—and thus flawed. [ [http://www.eweek.com/article2/0,1895,1983037,00.asp 'Blue Pill' Prototype Creates 100% Undetectable Malware] , Ryan Naraine, eWeek.com]

This assessment, repeated in numerous press articles, is disputed: AMD issued a statement dismissing the claim of full undetectability. [ [http://securitywatch.eweek.com/rootkits/faceoff_amd_vs_joanna_rutkowsk.html Faceoff: AMD vs. Joanna Rutkowska] , eWeek.com] Some other security researchers and journalists also dismissed the concept as inaccurate. [ [http://www.virtualization.info/2006/08/debunking-blue-pill-myth.html Debunking Blue Pill Myth] , virtualization.info] [ [http://weblog.infoworld.com/yager/archives/2006/06/blue_pill_is_an.html Blue Pill is an attention-whoring non-threat, period] , Tom Yager, InfoWorld] For one thing, the x86 instruction set contains privileged instructions that cannot be virtualized. For another, "any" form of virtualization can be detected by a timing attack.

In 2007, a group of researchers led by Thomas Ptacek of Matasano Security challenged Rutkowska to put Blue Pill against their rootkit detector software at this year's Black Hat conference, [ [http://blogs.zdnet.com/security/?p=334 Rutkowska faces ‘100% undetectable malware’ challenge] , Ryan Naraine at zdnet.com] but the deal was deemed a no-go following Joanna's request for $384,000 in funding as a prerequisite for entering the competition. [ [http://blogs.zdnet.com/security/?p=340 Blue Pill hacker challenge update: It’s a no-go] , Ryan Naraine at zdnet.com] Rutkowska and Alexander Tereshkin countered detractors' claims during a subsequent Black Hat speech, arguing that the proposed detection methods were inaccurate. [ [http://securitywatch.eweek.com/showdown_at_the_blue_pill_corral.html Showdown at the Blue Pill Corral] ] [ [http://www.darkreading.com/document.asp?doc_id=130663 Blue Pill Gets a Refill] ]

The source code for Blue Pill has since been made public [ [http://bluepillproject.org The Blue Pill Project] ] .

Trivia

The name "Blue Pill" is a reference to the blue pill from the "Matrix" film trilogy.

ee also

* Red Pill - a technique to detect the presence of a virtual machine also developed by Joanna Rutkowska. [http://invisiblethings.org/papers/redpill.html]

References

External links

* [http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html Introducing the Blue Pill by Joanna Rutkowska]
* [http://www.internetnews.com/security/article.php/3624861 InternetNews - Blackhat takes Vista to Task]
* [http://www.businessweek.com/technology/content/aug2006/tc20060810_203122.htm?chan=top+news_top+news Heading Off the Hackers] - Business Week, August 10 2006
* [http://www.grc.com/securitynow.htm Blue Pill] , Episode 54 of the Security Now Podcast
* [http://blackhat.com/presentations/bh-usa-06/BH-US-06-Rutkowska.pdf Black Hat 2006 Presentation]
* [http://bluepillproject.org/ Source code]
* [http://northsecuritylabs.blogspot.com/2008/06/catching-blue-pill.html Detecting and Blocking Blue Pill, Vitriol etc]