- Blue Pill (malware)
Blue Pill is the codename for a controversial
rootkit based onvirtualization technology that targetsMicrosoft 'sWindows Vista operating system . Blue Pill usesAMD Pacifica virtualization technology, but reportedly could be ported to useIntel Vanderpool . It was designed byJoanna Rutkowska and originally demonstrated at theBlack Hat Briefings onAugust 3 ,2006 .Overview
According to the author, by using Pacifica, Blue Pill would be able to trap a running instance of the operating system into a
virtual machine , and would then act as ahypervisor , with complete control of the computer. Joanna Rutkowska claims that, since any detection program could be fooled by the hypervisor, such a system would be "100% undetectable". Since virtualization is supposed to be indetectable to the host, the only way Blue Pill could be detected is if the virtualization itself is detectable—and thus flawed. [ [http://www.eweek.com/article2/0,1895,1983037,00.asp 'Blue Pill' Prototype Creates 100% Undetectable Malware] , Ryan Naraine, eWeek.com]This assessment, repeated in numerous press articles, is disputed: AMD issued a statement dismissing the claim of full undetectability. [ [http://securitywatch.eweek.com/rootkits/faceoff_amd_vs_joanna_rutkowsk.html Faceoff: AMD vs. Joanna Rutkowska] , eWeek.com] Some other security researchers and journalists also dismissed the concept as inaccurate. [ [http://www.virtualization.info/2006/08/debunking-blue-pill-myth.html Debunking Blue Pill Myth] , virtualization.info] [ [http://weblog.infoworld.com/yager/archives/2006/06/blue_pill_is_an.html Blue Pill is an attention-whoring non-threat, period] , Tom Yager, InfoWorld] For one thing, the
x86 instruction set contains privileged instructions that cannot be virtualized. For another, "any" form of virtualization can be detected by atiming attack .In 2007, a group of researchers led by
Thomas Ptacek ofMatasano Security challenged Rutkowska to put Blue Pill against their rootkit detector software at this year's Black Hat conference, [ [http://blogs.zdnet.com/security/?p=334 Rutkowska faces ‘100% undetectable malware’ challenge] , Ryan Naraine at zdnet.com] but the deal was deemed a no-go following Joanna's request for $384,000 in funding as a prerequisite for entering the competition. [ [http://blogs.zdnet.com/security/?p=340 Blue Pill hacker challenge update: It’s a no-go] , Ryan Naraine at zdnet.com] Rutkowska and Alexander Tereshkin countered detractors' claims during a subsequent Black Hat speech, arguing that the proposed detection methods were inaccurate. [ [http://securitywatch.eweek.com/showdown_at_the_blue_pill_corral.html Showdown at the Blue Pill Corral] ] [ [http://www.darkreading.com/document.asp?doc_id=130663 Blue Pill Gets a Refill] ]The source code for Blue Pill has since been made public [ [http://bluepillproject.org The Blue Pill Project] ] .
Trivia
The name "Blue Pill" is a reference to the blue pill from the "Matrix" film trilogy.
ee also
*
Red Pill - a technique to detect the presence of a virtual machine also developed by Joanna Rutkowska. [http://invisiblethings.org/papers/redpill.html]References
External links
* [http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html Introducing the Blue Pill by Joanna Rutkowska]
* [http://www.internetnews.com/security/article.php/3624861 InternetNews - Blackhat takes Vista to Task]
* [http://www.businessweek.com/technology/content/aug2006/tc20060810_203122.htm?chan=top+news_top+news Heading Off the Hackers] -Business Week ,August 10 2006
* [http://www.grc.com/securitynow.htm Blue Pill] , Episode 54 of theSecurity Now Podcast
* [http://blackhat.com/presentations/bh-usa-06/BH-US-06-Rutkowska.pdf Black Hat 2006 Presentation]
* [http://bluepillproject.org/ Source code]
* [http://northsecuritylabs.blogspot.com/2008/06/catching-blue-pill.html Detecting and Blocking Blue Pill, Vitriol etc]
Wikimedia Foundation. 2010.