News Stay informed about the latest enterprise technology news and product updates.

Would Blue Pill create a matrix for PCs?

This week in Security Blog Log: A researcher creates fake reality for Windows Vista's anti-malware sensors. Not all bloggers are impressed.


Security Blog Log
Those who've seen "The Matrix" know the scene where Laurence Fishburne's character Morpheus offers Keanu Reeves' Neo a choice between two pills, one red and the other blue. Morpheus explains the blue pill will allow Neo to wake up in his bed and believe whatever he wants, while the red one will let him "stay in Wonderland and see how deep the rabbit-hole goes" -- in other words, to learn the truth about the Matrix.

In the real world, Joanna Rutkowska, a security researcher for Singapore-based IT security firm COSEINC, claims to have developed a blue pill of sorts that will create an equally fake reality for anti-malware sensors, including those baked into Microsoft's upcoming Windows Vista operating system.

She describes it in detail in her Invisible Things blog, and plans to show how it works at a couple upcoming security conferences, including the Black Hat Briefings in Las Vegas Aug. 3.

In the blog she writes: "Imagine a malware whose capabilities to remain undetectable do not rely on obscurity of the concept, malware which could not be detected even though its algorithm (concept) is publicly known. Let's go further and imagine that even its code could be made public, but still there would be no way for detecting that this creature is running on our machines..."

About Security Blog Log

Senior News Writer Bill Brenner peruses security blogs each day to see what's got the information security community buzzing. In this column he lists the weekly highlights. If you'd like to comment on the column or bring new security blogs to his attention, contact him at

Recent articles:
Microsoft and the peril of predatory pricing

Doing good with exploit code

Confessions of a spam gangsta

Rutkowska said she's been working on just such a creature over the past few months, and has code-named it Blue Pill. She claims it to be 100% undetectable malware that's not based on an obscure concept.

The idea behind Blue Pill is simple, she said. The operating system "swallows" the Blue Pill and it awakes inside a Matrix controlled by the "ultra thin Blue Pill hypervisor." This all happens without restarting the system.

"There is no performance penalty and all the devices, like graphics card, are fully accessible to the operating system, which is now executing inside [the] virtual machine," she said. "This is all possible thanks to the latest virtualization technology from AMD called SVM/Pacifica."

To some observers, this may sound a lot like the SubVirt rootkit researchers from Microsoft and the University of Michigan outlined in a recent (.pdf) paper. But Rutkowska says there are some key differences:

  • SubVirt is a permanent (restart surviving) rootkit, but unlike Blue Pill, it can't be installed without a reboot. SubVirt must also introduce some modifications to the hard disk, which allows for off-line detection, she said.

  • SubVirt was implemented on x86 hardware, which doesn't allow it to achieve 100% virtualization. Blue Pill can go fully virtual because the AMD SVM technology it's based on allows for it.

  • SubVirt is based on the Virtual PC and/or VMWare applications. Both of these applications create virtual devices to be used by the operating system, which are different from the real underlying hardware. This allows for easy detection.

    Rutkowska says she's cooked up a working prototype for Vista x64, but she sees no reason why it shouldn't be possible to port it to other operating systems like Linux or BSD, which can be run on a x64 platform.

    Her first demonstration will be at the July Symposium on Security for Asia Networks (SyScan) in Singapore, followed by Black Hat in August.

    Her Black Hat presentation is cheerfully called "Subverting Vista Kernel for Fun and Profit," according to the Black Hat Web site.

    Not everyone in the blogosphere is interested in taking this trip down the rabbit hole. Some dismiss the notion that this Matrix can even be constructed.

    As Kurt Wismer puts it in his Anti-Virus Rants blog, "The Blue Pill is hard to swallow."

    He offers some technical scenarios to explain how Blue Pill probably won't dissolve into the machine as fully as Rutkowska claims, then concludes, "If undetectable virtualization technology can be used to hide the presence of malware, then equally undetectable virtualization technology preemptively deployed on the system should be able to detect the undetectable VM-based stealth malware if [and] when it is encountered."

    It'll be interesting to see what hackers in the blogosphere have to say once they return from Rutkowska's demonstrations in Singapore and Las Vegas.

  • Dig Deeper on Malware, virus, Trojan and spyware protection and removal

    Join the conversation

    1 comment

    Send me notifications when other members comment.

    Please create a username to comment.

    Sounds like "crock recursion" That's when you have a painting of a landscape. But the guy feels there's something missing, so he paints himself painting the landscape. Still something is missing, so he paints himself painting himself painting the landscape. But there's something missing, so...