Would Blue Pill create a matrix for PCs? | |||
 | |||
|
Those who've seen "The Matrix" know the scene where Laurence Fishburne's character Morpheus offers Keanu Reeves' Neo a choice between two pills, one red and the other blue. Morpheus explains the blue pill will allow Neo to wake up in his bed and believe whatever he wants, while the red one will let him "stay in Wonderland and see how deep the rabbit-hole goes" -- in other words, to learn the truth about the Matrix.
In the real world, Joanna Rutkowska, a security researcher for Singapore-based IT security firm COSEINC, claims to have developed a blue pill of sorts that will create an equally fake reality for anti-malware sensors, including those baked into Microsoft's upcoming Windows Vista operating system.
She describes it in detail in her Invisible Things blog, and plans to show how it works at a couple upcoming security conferences, including the Black Hat Briefings in Las Vegas Aug. 3.
In the blog she writes: "Imagine a malware whose capabilities to remain undetectable do not rely on obscurity of the concept, malware which could not be detected even though its algorithm (concept) is publicly known. Let's go further and imagine that even its code could be made public, but still there would be no way for detecting that this creature is running on our machines..."
Rutkowska said she's been working on just such a creature over the past few months, and has code-named it Blue Pill. She claims it to be 100% undetectable malware that's not based on an obscure concept.
The idea behind Blue Pill is simple, she said. The operating system "swallows" the Blue Pill and it awakes inside a Matrix controlled by the "ultra thin Blue Pill hypervisor." This all happens without restarting the system.
"There is no performance penalty and all the devices, like graphics card, are fully accessible to the operating system, which is now executing inside [the] virtual machine," she said. "This is all possible thanks to the latest virtualization technology from AMD called SVM/Pacifica."
To some observers, this may sound a lot like the SubVirt rootkit researchers from Microsoft and the University of Michigan outlined in a recent (.pdf) paper. But Rutkowska says there are some key differences:
Rutkowska says she's cooked up a working prototype for Vista x64, but she sees no reason why it shouldn't be possible to port it to other operating systems like Linux or BSD, which can be run on a x64 platform. Her first demonstration will be at the July Symposium on Security for Asia Networks (SyScan) in Singapore, followed by Black Hat in August. Her Black Hat presentation is cheerfully called "Subverting Vista Kernel for Fun and Profit," according to the Black Hat Web site. Not everyone in the blogosphere is interested in taking this trip down the rabbit hole. Some dismiss the notion that this Matrix can even be constructed. As Kurt Wismer puts it in his Anti-Virus Rants blog, "The Blue Pill is hard to swallow." He offers some technical scenarios to explain how Blue Pill probably won't dissolve into the machine as fully as Rutkowska claims, then concludes, "If undetectable virtualization technology can be used to hide the presence of malware, then equally undetectable virtualization technology preemptively deployed on the system should be able to detect the undetectable VM-based stealth malware if [and] when it is encountered." |
