Blue Pill threat dead? … That's wishful thinking

Joanna Rutkowska, the renowned rootkit researcher at Invisible Things Lab based in Poland, has ignited keen interest in virtualization-based malware with her creation called Blue Pill. Last year at the Black Hat conference she gave a presentation on Blue Pill, and at last week’s Black Hat 2007, she announced she is making the New Blue Pill, which, among other things, can run tens of Blue Pills inside each other, available for research purposes.

Taking up the challenge to try and detect stealthy rootkits, researchers from Symantec, Root Lab, and Matasano, which gave their own presentation at Black Hat entitled “Don’t Tell Joanna, the Virtualized Rootkit is Dead,” are aiming to prove they can detect Blue Pill and any other virtualized rootkit with software they’ve collaborated on called Samsara. But no one is declaring victory yet in detecting Blue Pill. In the following essay, Rutkowska shares some observations about things not easily seen. --  Ellen Messmer

By Joanna Rutkowska, Invisible Things Lab

Since the Black Hat conference last year, when I presented the first hardware virtualization-based malware, code-named “Blue Pill,” the amazing debate has been going on. Several security researchers decided to prove that the virtualization malware threat is non-existent. Some went even as far as to announce that the “virtualized rootkit is dead. Interestingly, none of those researchers have presented any solution to be used for either virtualization malware prevention or detection.

First, it turned out that the “blue pill killers” confused virtualization detection with virtualization rootkits detection. Wait a second – but isn’t that the same thing, you might ask? After all, virtualization-based rootkits need to make use of virtualization, so by detecting (unexpected) virtualization we detect the virtualization-based malware as well, right? Well, not quite – it’s a bit like saying that every program that makes use of networking is a botnet agent, just because botnet agents need to use networking.

As hardware virtualization technology gets more and more widespread, many machines will be running with virtualization mode enabled, both servers and desktops, no matter whether “bluepilled” or not. In that case, blue pill-like malware will not need to take any special efforts to pretend that virtualization is not enabled, as it’s actually expected that virtualization is being used for some legitimate purposes. This means the rootkit code can be greatly simplified.

Using a "blue pill detector" that in fact is just a generic virtualization detector is thus completely pointless here.

Obviously, in such scenarios, blue pill-like malware must support nested hypervisors. And this is what we have implemented in our New Blue Pill proof of concept and presented at the recent Black Hat conference.

We can run tens of blue pills inside each other and they all work and each of them thinks that it’s the real hypervisor! You can actually try it at home, as we decided to make the source code for the New Blue Pill publicly available. We still fail at running Virtual PC 2007 (the only Windows product we found so far that makes use of hardware virtualization) as a nested hypervisor but we hope to have this fixed in the coming weeks. By the way, please note that Virtual PC hypervisor doesn’t block Blue Pill from loading.

Interestingly, it also turned out that most of those virtualization detection methods presented over the last months by various researchers (and advertised as virtualization malware detectors) are simply not reliable. In many cases, they can be defeated by virtualization rootkits and usually need a lot of improvements to become reliable (but then again, they would be able to only detect a virtualization). We have discussed the actual technical problems during our recent Black Hat presentation.

You might be wondering why this whole debate about virtualization-based rootkits creates so many emotions, why some researchers announce the problem as solved, without actually presenting any solutions, and why some of them go even as far as to use personal attacks in the whole debate.

Well, virtualization is a new powerful technology that promises a lot not only in terms of technology, but also in terms of business. Unfortunately people started connecting the words: "Blue Pill" and "virtualization" with the word "threat”, without actually understanding what this is really all about. As a result we have a situation where some people might actually be afraid of virtualization, because they heard somewhere about the evil “Blue Pill Threat.”

This is wrong – people should not think of a virtualization as a bad thing, just like nobody is going to say that networking is bad simply because we have, for example, botnets. Virtualization is a great technology and one of its main uses is to actually increase the security of our systems. We just need to think more how to make it immune to various threats. Luckily we still have time, as the hardware virtualization is still rarely used.

Announcing however that this threat is "dead" already doesn't do any good – this can only put to death our vigilance, which is exactly what security researchers should not do, unless, they really have a good solution to the problem.

Learn more about this topic

Blog: The bitter Blue Pill

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.