A security researcher specializing in rootkits has successfully developed a prototype of a new technology that enables the creation of “100% invisible” malware, even for x64 systems like Windows Vista.
Joanna Rutkowska, a malware “stealth” technology expert at the Singapore-based security firm COSEINC, announced that the new Blue Pill technology utilizes AMD’s SVM/Pacifica virtualization technology to create a very small piece of software capable of controlling the entire operating system. It is also undetectable.
Rutkowska plans to present her new idea at the SyScan conference to be held in Singapore at the end of July and at the Black Hat conference in the United States in early August.
The Idea is Not New
Rutkowska revealed that this new technology relies on a dynamic “generic method” to inject binary code into the Vista Beta 2 kernel (x64 edition) without causing any errors. This technique has managed to circumvent the policy changes against rootkits in Windows Vista.
The concept of a virtual machine rootkit is not new. Microsoft researchers and the University of Michigan have created a virtualization-based rootkit called SubVirt. This rootkit is undetectable because security software cannot access its state.
Now, Rutkowska continues to develop this technology. However, she also asserts that Blue Pill could be detected if AMD’s Pacifica technology has vulnerabilities.
Where Does the Power Come From?
“The power of Blue Pill comes from SVM technology,” Rutkowska explained. If a “generic” detection capability is added to virtualization technology, Blue Pill will lose its invisibility. But this only matters if AMD’s Pacifica technology has vulnerabilities.
“On the other hand, if you cannot add generic detection techniques to SVM on a virtual platform, you will never be able to detect Blue Pill.”
“The idea behind Blue Pill is very simple: Your operating system swallows a Blue Pill, and it operates within a Matrix controlled by a very small Blue Pill Hypervisor. This occurs directly while the operating system is running, without affecting other devices.”
Rutkowska also emphasized that Blue Pill is not based on any existing vulnerabilities in the operating system. The Blue Pill technology will be exclusively owned by COSEINC Research and will not be publicly disclosed. However, Rutkowska mentioned that her company plans to conduct training on this new technology and will reveal the source code during such training sessions.
Hoang Dung
