Malware researcher developing stronger Blue Pill
Hijack software takes better advantage of Vista virtualization
IDG News Service - The researcher who developed Blue Pill, an attempt at developing undetectable malware for computers running Microsoft Corp.'s Windows Vista operating system, is working on a stealthier version that could be finished within the next few months.
Polish malware specialist Joanna Rutkowska, who works as a senior researcher at Singapore's Computer Security Initiative Consultancy Pte. Ltd. (COSEINC), unveiled a prototype of Blue Pill earlier this year. "Blue Pill is about hijacking an operating system, moving into a virtual machine and taking control of it," she said during an interview at the Hack in the Box Security Conference (HITB) in Kuala Lumpur, Malaysia.
Blue Pill works by taking advantage of hardware virtualization technology in processors from Advanced Micro Devices Inc. and Intel Corp. Virtualization allows computers to simultaneously run multiple operating systems and applications in separate partitions. "Using this virtualization technology should allow us to develop malware that is 100% undetectable," Rutkowska said.
The Blue Pill prototype demonstrated earlier this year came close to achieving this goal, but timing how long a computer takes to complete a given operation can theoretically be used to detect whether or not Blue Pill is running on a computer, Rutkowska said. She is now working on a new version of Blue Pill that is not detectable using this method.
Whether or not timing analysis is a purely theoretical means of detecting Blue Pill has been debated within the security community, with some arguing that this method of detection is easy to implement. Rutkowska is not so sure. "You have to have a trusted time source. But you cannot rely on your internal clock because that can be subverted by Blue Pill," she said, adding that other timing methods are also vulnerable to manipulation.
One way to defend against Blue Pill is to disable the virtualization capability in the processors, but that makes no sense. "People spent years developing those new processors with virtualization, and now you buy those new processors just to disable the virtualization, right? Where's the logic?" she asked.
A more practical defense is for Microsoft to disable the paging of kernel memory in Vista, which means loading the kernel code and drivers, approximately 80MB of data, into main memory. This would prevent Blue Bill from accessing the kernel and executing code. "Who cares about 80MB? That's why I'm so surprised that even though I showed this attack at the end of July at the SysCan conference, it still hasn't been fixed in RC1," Rutkowska said, referring to the latest preproduction version of Vista.
In response, a Microsoft security specialist said the company is continuing to work on improving the security of Vista RC1 before the production version is shipped to customers. "There's still a few months before the final [version] does get released," said Mike Reavey, the operations manager at Microsoft's Security Response Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Is Your Big Data Solution Production-Ready? Read "Is Your Big Data Solution Production-Ready?" now, and discover best practices and actionable steps to implementing a production-ready big data solution.
- Pay-as-you-Grow Data Protection: IBM Tivoli's Full-featured Data Protection Suite for Small to Medium Businesses IBM Tivoli Storage Manager Suite for Unified Recovery gives small and medium businesses the opportunity to start out with only the individual solutions...
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts