For the uninitiated, security researcher Joanna Rutkowska created the Blue Pill, a piece of virtual machine-based malware. She spoke about the malware at a variety of security and hacking conferences in 2006, including Black Hat. The ideas underlying the Blue Pill are very powerful. Using the new virtual machine instructions supported by recent processors from Advanced Micro Devices Inc., those with so-called SVM/Pacifica technology, this tool installs itself as a virtual machine hypervisor underneath the existing operating system. As Rutkowska described it, the malware can install itself without the OS needing to reboot. Blue Pill can be very difficult to detect because normal operating system code can't gain access to the hypervisor itself. Similar ideas are implemented in the Vitriol rootkit, created by Dino Dai Zovi. The Vitriol rootkit targets Intel processors that use VT-x virtual technology, a set of functions similar to the AMD SVM/Pacifica instructions used by the Blue Pill.
I'm happy to say that there's little reason to fear for the security of your operational environment because of Blue Pill. While the ideas are out there, the code for the Blue Pill and Vitriol is neither in widespread release or use. Each could always become a threat in the future, but right now, there isn't much you can do.
In the talks associated with their respective projects, both Rutkowska and Dai Zovi have highlighted hypothetical rootkit detection mechanisms that analyze instruction counts and try to run virtual machine instructions. The two have also examined ways to thwart such detection. Rutkowska even explores preventative concepts, which would require altering processors and boot sequences, and adding password defenses before virtualization could be activated. While these are amazing ideas, they aren't practical for widespread deployment right now; they would require careful vendor development to pull off. So, the bottom line here is don't overreact, but monitor the news developments in this realm carefully.
- Learn what rootkits and rootkit hypervisors can do to an operating system.
- Check out SearchSecurity.com's Black Hat 2006 special coverage.
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Ed Skoudis
Learn how social networking sites compound the insider threat risk, and explore how to mitigate the threat with policy, training and technology. Continue Reading
Wi-Fi on airplanes seems like it will be unavoidable in the future, but what security risks does it pose? In this security threats expert response, ... Continue Reading
There are some rare forms of malware that antivirus software doesn't pick up on, but there are some good tools to remove all sorts of malware. Continue Reading