pistolino
13-08-2007, 10:47
Blue Pill virtualisation rootkit freely available
Rootkit specialist Joanna Rutkowska has provided open access to the source code of a new version of the virtualisation rootkit Blue Pill, which has been rewritten from scratch. She presented a prototype of the rootkit at the Black Hat conference in Las Vegas in 2006. The new version of Blue Pill has not just been revised, it also offers new functionality and, according to the description, relies on the virtualisation support offered by modern processors (HVM, hardware virtualised machines).
It is claimed that the new Blue Pill can migrate Windows into a virtual environment whilst it is running; without restarting, and invisibly to the user. This would make it undetectable from within the system using current detection methods. The rootkit supports AMD's SVM/Pacifica virtualisation to infiltrate a hypervisor into Windows whilst it is running, but is not yet able to utilise Intel's VT-x virtualisation. Blue Pill now also includes several functions specifically aimed at hindering recognition by rootkit detectors. It is apparently able to support nested hypervisors and to manipulate Time Stamp Clock Register (TSCR) readings to thwart detection of stolen CPU cycles: a technique known as RDTSC cheating.
In rebuilding Blue Pill from scratch, Rutkowska and co-author Alexander Tereshkin appear to be reacting to criticism from Thomas Ptacek of Matasano Security, Nate Lawson of Root Labs and Peter Ferrie of Symantec, who decline to believe that Blue Pill is undetectable and recently challenged Rutkowska to a competition, which she, however, neatly sidestepped. But the new version does have limitations. For example, Microsoft's Virtual PC 2007 crashes when running under Blue Pill, so first blood goes to Ptacek, Lawson and Ferrie. In addition, the implementation of RDTSC cheating is still somewhat rudimentary.
The version currently available for download can apparently only be compiled under Windows using the Driver Development Kit (NTDDK).
Fonte: http://www.heise-security.co.uk/news/93761/from/atom10
Ecco qui il link che riporta al thread di Wilders Security su cui si sta parlando di tutto questo.
http://www.wilderssecurity.com/showthread.php?t=181812
Allo stato attuale non è ancora chiaro quali HIPS siano in grado di rilevare l'installazione del driver rootkit virtuale, e il fatto che anche Rootkit Unhooker pare non sia in grado di rilevarlo aggrava ancora di più la situazione. Infatti, dato che il codice sorgente è disponibile liberamente, chiunque sappia programmare potrebbe costruirci sopra qualche variante altrettanto micidiale e utlizzarla per scopi malevoli, consapevole che le definizioni antivirus non potranno mai fare nulla contro Blue Pill...che sia la fine dei sistemi di rilevazione basati su signatures? ;)
Regards
Rootkit specialist Joanna Rutkowska has provided open access to the source code of a new version of the virtualisation rootkit Blue Pill, which has been rewritten from scratch. She presented a prototype of the rootkit at the Black Hat conference in Las Vegas in 2006. The new version of Blue Pill has not just been revised, it also offers new functionality and, according to the description, relies on the virtualisation support offered by modern processors (HVM, hardware virtualised machines).
It is claimed that the new Blue Pill can migrate Windows into a virtual environment whilst it is running; without restarting, and invisibly to the user. This would make it undetectable from within the system using current detection methods. The rootkit supports AMD's SVM/Pacifica virtualisation to infiltrate a hypervisor into Windows whilst it is running, but is not yet able to utilise Intel's VT-x virtualisation. Blue Pill now also includes several functions specifically aimed at hindering recognition by rootkit detectors. It is apparently able to support nested hypervisors and to manipulate Time Stamp Clock Register (TSCR) readings to thwart detection of stolen CPU cycles: a technique known as RDTSC cheating.
In rebuilding Blue Pill from scratch, Rutkowska and co-author Alexander Tereshkin appear to be reacting to criticism from Thomas Ptacek of Matasano Security, Nate Lawson of Root Labs and Peter Ferrie of Symantec, who decline to believe that Blue Pill is undetectable and recently challenged Rutkowska to a competition, which she, however, neatly sidestepped. But the new version does have limitations. For example, Microsoft's Virtual PC 2007 crashes when running under Blue Pill, so first blood goes to Ptacek, Lawson and Ferrie. In addition, the implementation of RDTSC cheating is still somewhat rudimentary.
The version currently available for download can apparently only be compiled under Windows using the Driver Development Kit (NTDDK).
Fonte: http://www.heise-security.co.uk/news/93761/from/atom10
Ecco qui il link che riporta al thread di Wilders Security su cui si sta parlando di tutto questo.
http://www.wilderssecurity.com/showthread.php?t=181812
Allo stato attuale non è ancora chiaro quali HIPS siano in grado di rilevare l'installazione del driver rootkit virtuale, e il fatto che anche Rootkit Unhooker pare non sia in grado di rilevarlo aggrava ancora di più la situazione. Infatti, dato che il codice sorgente è disponibile liberamente, chiunque sappia programmare potrebbe costruirci sopra qualche variante altrettanto micidiale e utlizzarla per scopi malevoli, consapevole che le definizioni antivirus non potranno mai fare nulla contro Blue Pill...che sia la fine dei sistemi di rilevazione basati su signatures? ;)
Regards