August 03, 2007

Black Hat: Hackers hunt invisible rootkits

Blue Pill claims hard to swallow

By Ellen Messmer

---

Security researchers at the Black Hat show in Las Vegas are debating whether rootkits that mimic virtual machines can ever be detected.

Joanna Rutkowska, researcher at Invisible Things, famously ignited interest in virtualised rootkit attacks after she showed off her creation, a rootkit called Blue Pill, at last year's Black Hat.

She returned to Black Hat this year to acknowledge that researcher Edgar Barbosa has come closest to devising a method for detecting Blue Pill.

"Congratulations to Edgar," she said, during the highly technical presentation she made with her colleague, researcher Alexander Tereshkin. Rutkowska said they hadn't yet found a way to evade Barbosa's so-called counter-based detection method, which he presented during July's SyScan conference.

Rutkowska also said she is posting Blue Pill's code publicly for download at the Blue Pill Project web site. "You can freely upload Blue Pill right now," she said. Blue Pill has been developed in a number of variants since last year, including one based on nested hypervisors, where stealth, virtual-machine malware is nested inside other stealth, virtual-machine malware.

On a separate topic, she faulted Microsoft's code-signing security that requires a Microsoft-approved signed certificate for kernel-mode protection. Rutkowska last year had shown a way to break that security, which would let an attacker load malware on 64-bit Vista, but Microsoft fixed that problem a few months ago by changing an API.

However, she asserted on Wednesday that she and Tereshkin had uncovered another route around Vista kernel protection: namely, faulty third-party drivers which, although digitally signed, are simply vulnerable.

She also noted that it was all too simple to obtain a Microsoft-approved code-signing certificate through a largely automated process that cost $250 for a certificate. Microsoft was not immediately available to comment on Rutkowska's findings.

At an earlier session at Black Hat titled "Don't Tell Joanna, the Virtualised Rootkit is Dead," researchers Thomas Ptacek from Matasano Security, Nate Lawson from Root Labs, and Peter Ferrie from Symantec, described how they are on the path to detecting virtual-machine malware through three technical approaches. They described these technical approaches as side-channel attack, vantage-point attack and performance event counters.

In the end, however, Ptacek said the research was focused on detecting the presence of virtualisation malware called Vitriol, created by researcher Dino Dai Zovi, for VMware. That's because Vitriol is one of only a few known examples of virtualisation malware, and Rutkowska had not published Blue Pill's code before the conference.

The three researchers indicated they intend to release their published findings, as well as a software framework they call Samsara for detecting virtualisation malware, within a few days.

Newsletters

Your daily injection of CW news and expert analysis: we’ll bring the news to you.