On TV.com: Who?ll Replace OPRAH as Our Life Coach?
BNET Business Network:
BNET
TechRepublic
ZDNet

August 2nd, 2007

Blue Pill Project extends VM rootkit cat-and-mouse tussle

Posted by Ryan Naraine @ 11:11 am

Categories: Black Hat, Botnets, Browsers, Data theft, Exploit code, Hackers, Metasploit, Microsoft, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Spyware and Adware, Viruses and Worms, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Rootkit, Ryan Naraine

In Focus » See more posts on: Black Hat

LAS VEGAS - The intellectual cat-and-mouse tussle over hiding and finding virtual machine rootkits has hit a new gear with a team of researchers dismissing the notion of “100 percent undetectable” malware and the release of source code for a new “Blue Pill” rootkit.

As previously reported, Thomas Ptacek, co-founder of Matasano Security, Nate Lawson of Root Labs, Symantec’s Peter Ferrie and indie researcher Dino Dai Zovi gave a standing-room-only presentation with a compelling argument that virtualized rootkits are easier to detect than normal rootkits.

“Nothing in undetectable,” Lawson said, repeating his earlier contention that there are numerous techniques that can be used to sniff out the presence of a virtualized rootkit.

[ SEE: Let users virtualize Vista because hypervisor rootkits are no threat ]

The research team plans to release a VM rootkit detection platform called Samara to help advance the research around this topic. “It’s a constant cycle,” Lawson said of the cat-and-mouse research. “They [the attackers] can find ways around our detector but we can also find new ways to find the rootkit. It repeats in a big cycle,” he added.

Later in the day, stealth malware guru Joanna Rutkowska pushed the envelope even more (.ppt file), arguing that VM rootkit detectors can be cheated and insisting that there is a legitimate threat to general purpose operating systems.

“We believe it’s not possible to implement effective kernel protection on general purpose operating systems based on a microkernel architecture,” Rutkowska said, stressing that SVM detection should not be considered the same as Blue Pill detection. “Most of the SVM detection approaches can be defeated,” she said.

Rutkowska also launched a Blue Pill Project with source code for a new, rewritten Blue Pill rootkit.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 2 Talkback(s)
Root Kits and virues.
The accountability issue is not about why a person wastes their time building a bad reputation to get attention, as the peer support saying "that's great!" isn't there if the root kit harms their peer... (Read the rest)
Posted by: vancegilbert@... Posted on: 08/08/07 You are currently: a Guest | | Terms of Use
MS ?  not of this world | 08/05/07
Root Kits and virues.  vancegilbert@... | 08/08/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline