Ask the Expert

Can rootkit detection mechanisms stop the Blue Pill?

What can be done to kill the "Blue Pill" code, that has now been rewritten to work on Intel-based machines as well as AMD processors?

    Requires Free Membership to View

For the uninitiated, security researcher  Joanna Rutkowska created the Blue Pill, a piece of virtual machine-based malware. She spoke about the malware at a variety of security and hacking conferences in 2006, including Black Hat. The ideas underlying the Blue Pill are very powerful. Using the new virtual machine instructions supported by recent processors from Advanced Micro Devices Inc., those with so-called SVM/Pacifica technology, this tool installs itself as a virtual machine hypervisor underneath the existing operating system. As Rutkowska described it, the malware can install itself without the OS needing to reboot. Blue Pill can be very difficult to detect because normal operating system code can't gain access to the hypervisor itself. Similar ideas are implemented in the Vitriol rootkit, created by Dino Dai Zovi. The Vitriol rootkit targets Intel processors that use VT-x virtual technology, a set of functions similar to the AMD SVM/Pacifica instructions used by the Blue Pill.

I'm happy to say that there's little reason to fear for the security of your operational environment because of Blue Pill. While the ideas are out there, the code for the Blue Pill and Vitriol is neither in widespread release or use. Each could always become a threat in the future, but right now, there isn't much you can do.

In the talks associated with their respective projects, both Rutkowska and Dai Zovi have highlighted hypothetical rootkit detection mechanisms that analyze instruction counts and try to run virtual machine instructions. The two have also examined ways to thwart such detection. Rutkowska even explores preventative concepts, which would require altering processors and boot sequences, and adding password defenses before virtualization could be activated. While these are amazing ideas, they aren't practical for widespread deployment right now; they would require careful vendor development to pull off. So, the bottom line here is don't overreact, but monitor the news developments in this realm carefully.

More information:

  • Learn what rootkits and rootkit hypervisors can do to an operating system.
  • Check out SearchSecurity.com's Black Hat 2006 special coverage.

This was first published in April 2011

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: