Problem solve Get help with specific problems with your technologies, process and projects.

Can rootkit detection mechanisms stop the Blue Pill?

At Black Hat 2006, researcher Joanna Rutkowska unveiled a piece of machine-based malware called the Blue Pill. But is it a serious threat to your operating system? Ed Skoudis explains in this expert Q&A.

What can be done to kill the "Blue Pill" code, that has now been rewritten to work on Intel-based machines as well as AMD processors?

For the uninitiated, security researcher  Joanna Rutkowska created the Blue Pill, a piece of virtual machine-based malware. She spoke about the malware at a variety of security and hacking conferences in 2006, including Black Hat. The ideas underlying the Blue Pill are very powerful. Using the new virtual machine instructions supported by recent processors from Advanced Micro Devices Inc., those with so-called SVM/Pacifica technology, this tool installs itself as a virtual machine hypervisor underneath the existing operating system. As Rutkowska described it, the malware can install itself without the OS needing to reboot. Blue Pill can be very difficult to detect because normal operating system code can't gain access to the hypervisor itself. Similar ideas are implemented in the Vitriol rootkit, created by Dino Dai Zovi. The Vitriol rootkit targets Intel processors that use VT-x virtual technology, a set of functions similar to the AMD SVM/Pacifica instructions used by the Blue Pill.

I'm happy to say that there's little reason to fear for the security of your operational environment because of Blue Pill. While the ideas are out there, the code for the Blue Pill and Vitriol is neither in widespread release or use. Each could always become a threat in the future, but right now, there isn't much you can do.

In the talks associated with their respective projects, both Rutkowska and Dai Zovi have highlighted hypothetical rootkit detection mechanisms that analyze instruction counts and try to run virtual machine instructions. The two have also examined ways to thwart such detection. Rutkowska even explores preventative concepts, which would require altering processors and boot sequences, and adding password defenses before virtualization could be activated. While these are amazing ideas, they aren't practical for widespread deployment right now; they would require careful vendor development to pull off. So, the bottom line here is don't overreact, but monitor the news developments in this realm carefully.

More information:

  • Learn what rootkits and rootkit hypervisors can do to an operating system.
  • Check out SearchSecurity.com's Black Hat 2006 special coverage.
This was last published in April 2011

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.