Black Hat - Blue Pill

As is usual the guys running Black Hat organized another stellar event this year. The threats are real and very chilling. Bottom line is that the security “researchers” have moved into exploit territory where nearly all companies have grossly inadequate defensive measures in place. The dominant themes were exploiting web services, client web browsers, and other types of application security weaknesses. And yes, a healthy dose of hardware/driver based exploits were presented as well. After hearing these talks it becomes apparent that firewall, VPN, and IPS technology is just not going to help us defend ourselves against these emerging attacks. However, newer defensive tools like application firewalls, web/xml firewalls, and HIPS may help us in some cases. The issue I see is that most corporations just don’t have any of these things running in production right now. I found the most interesting, and most deadly, topic to be about virtualized malware, or stealth malware. The most famous rendition of virtualized malware is the blue pill project by Joanna Rutkowska. Joanna has been researching this for about 2 years now. This stuff is not theoretical, if you want the code you can go to her site and download it here Also here is her Black Hat presentation called IsGameOver(), anyone? Here is how blue pill works:

  • Somehow you get the Blue Pill (BP) code to execute on a target machine. You can use any attack method to do so, e.g. virus, spyware, XSS, etc.
  • BP requires hardware virtualization, so it will only work on machines with a Intel VT-x or AMD SVM capable CPU.
  • When BP runs it rapidly (in about 1ms) and transparently moves your whole operating system into a guest hardware virtual machine that it controls. This happens on the fly without the client knowing it and does not require a reboot.
  • Since BP now has ultimate control over the guest operating system, it can intercept, modify, or copy anything it cares to. All system calls are now run though Blue Pill.
  • Given that Blue Pill required no changes to the original operating system, hardware, or system BIOS for it to work, it is undetectable. Blue Pill bypasses all the new Vista provided security mechanisms as well as any AV, AS, or HIPS software that might be running on the target machine. This is because the target machine is now running in a nice clean virtual machine, think of it as a PC within a PC, and all is good in life.

The name Blue Pill (think the Matrix Movie) is no accident. In the movie, if Neo would have chosen the Blue Pill offered by Morpheus he would have forgotten everything and remained in the ignorant bliss of the Matrix. When force fed, the Blue Pill rootkit, developed by Joanna Rutkowska, has this same effect on PCs in real life. Once infected with Blue Pill your host operating system is experiencing the same thing as Neo was before he got pulled out of the Matrix. Basically they are both living a lie. The Blue Pill, just like the Matrix, is controlling the minds of its hosts. The hosts are completely oblivious to the fact that what they are experiencing is not real but instead a completely fabricated environment that feels as authentic as the real one. The host looses the ability to determine what is real from what is not real, “how do you define real?” in an environment that yields the perception of self-control but secretly retains ultimate control. The operating system, like a person in the Matrix, is a slave to the Blue Pill. It will blindly trust anything that the Blue Pill tells it. But unlike the Matrix, the Blue Pill is completely undetectable (at least to date).

I just hope someone discovers the “déjà vu effect” in the Blue Pill soon! So it brings about the obvious question, is my or your PC already infected with the Blue Pill? How would you know???

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

IT Salary Survey: The results are in