Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Rutkowska Faces 'Blue Pill' Rootkit Challenge

Posted by Zonk on Fri Jun 29, 2007 12:41 PM
from the exciting-conference dept.
Security IT
Controll3r writes "Three high-profile security researchers — Thomas Ptacek of Matasano Security, Nate Lawson of Root Labs and Symantec's Peter Ferrie — have issued a challenge to Joanna Rutkowska to prove that her 'Blue Pill' technology can create "100 percent undetectable" malware. The Black Hat 2007 challenge will feature two untouched laptops of the make/model of Rutkowska's choosing for her to plant Blue Pill on one. From the article: 'She picks one in secret, installs her kit, sets them up however she wants,' Lawson explained in an interview. 'We get to install our software on both and run it, [and] we point out which machine [Blue Pill] is on. If we're wrong, she keeps the laptop.' No word on whether Rutkowska will accept the challenge."
+ -
story

Related Stories

[+] VM-Based Rootkits Proved Easily Detectable 128 comments
paleshadows writes "A year and a half has passed since SubVirt, the first VMM (virtual machine monitor) based rootkit, was introduced (PDF), covered in the tech press, and discussed here. Later Joanna Rutkowska made news by claiming she had a VMM-based attack on Vista that was undetectable — a claim that was roundly challenged. Now in this year's HotOS workshop, researchers from Stanford, CMU, VMware, and XenSource have published a paper titled Compatibility Is Not Transparency: VMM Detection Myths and Realities (PDF) showing that VMM-based rootkits are actually easily detectable."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Rutkowska Faces 'Blue Pill' Rootkit Challenge 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • More Laptops (Score:5, Interesting)

    by stinerman (812158) <nathan,stine&gmail,com> on Friday June 29 2007, @12:44PM (#19690453) Homepage
    So they have a 50/50 shot of getting it right. How about something more along the lines of 10 laptops? And then they have to say what tipped them off.

    • Re:More Laptops (Score:5, Informative)

      by jonnythan (79727) on Friday June 29 2007, @12:54PM (#19690605) Homepage
      Rutkowska already thought of that (as well as a couple of other things):

      http://theinvisiblethings.blogspot.com/ [blogspot.com]

      "First, we believe that 2 machines are definitely not enough, because the chance of correct guess, using a completely random (read: unreliable) detection method is 50%. Thus we think that the reasonable number is 5 machines."

      She then goes on to detail how at least one but no more than four of the machines are infected and that the detection method must be automatic and return only "infected" or "not infected" as output.

      There are some other details she proposes, some of which are head-scratchers such as "The detector can not consume significant amount of CPU time (say > 90%) for more then, say 1 sec."

      Whole thing sounds pretty interesting though :)

      • Re:More Laptops (Score:5, Informative)

        by jonnythan (79727) on Friday June 29 2007, @12:56PM (#19690631) Homepage
        From the comments section, Nate Lawson has posted his response to Joanna:

        http://rdist.root.org/2007/06/28/undetectable-hype rvisor-rootkit-challenge/ [root.org]

      • Re:More Laptops (Score:5, Insightful)

        by Billosaur (927319) * <wgrother@nOspam.optonline.net> on Friday June 29 2007, @01:06PM (#19690757) Journal
        I think this calls for a double-blind experiment with a larger sample size, say 20 laptops. 10 laptops are held out and left untouched; the other ten will either be infected with Blue Pill or not based on a random coin flip. Then it would not just be a question of detecting it, but detecting it to a sufficient degree to put it beyond chance. A 50-50 shot is just too high to be regarded as accurate.

        • Re:More Laptops (Score:4, Interesting)

          by rtb61 (674572) on Saturday June 30 2007, @12:24AM (#19697151) Homepage
          That test model is still not correct. What has to happen is that every laptop has to have the contents of it's hard disk drive changed after the test has commenced. It should reflect the real world, there are not identical laptops in real world usage. I mean anybody can do the check they are talking about, simply pull out the hard drives and do a bit by bit comparison, big deal. A real world test reflects that the laptops are running different software and different configurations and have different data stored. Ideally it should be done on PCs where you also have different hardware and drivers.

      • Re:More Laptops (Score:4, Interesting)

        by Smidge204 (605297) on Friday June 29 2007, @01:39PM (#19691189)
        The counter-requirements sound suspiciously lopsided to reduce the chance of detection.

        In summary:

        -Multiple machines. Fine.

        -"bluepill.exe and bluepill.sys" wil be installed on ALL machines. Okay, I guess they don't want them to just check the drive's free space to see if extra files were added?

        -ALL machines will have the driver loaded, but not necessarily be "infected". Is that a reasonable condition for a rootkit "in the wild"? If the rootkit is doing it's job you shouldn't be able to detect the driver being loaded in the first place.

        -Detector.exe must be completely autonomous and return only a single flag value to indicate infection. This sounds like a completely unreasonable requirement, since even rudamentary human review of the results is a realistic real-world scenario.

        -The detector can not cause system crash or halt the machine. I fail to see why this would be a requirement, unless you argue that whatever system that might be tested is mission critical and can't afford ANY unplanned downtime... unexpected crashes are bad, but shouldn't be an instant-lose condition.

        -The detector can not consume significant amount of CPU time. Why not? If the user is scanning for a rootkit, they probably understand it's a fairly serious issue and should be willing to devote resources to it. Inconvenient? Sure, but again not a condition of failure.

        -Compensation for working on the project. I can understand this, but really... even if Blue Pill fails to stay hidden, they "win" 6 months of full employment with no repercussions for failure to deliver a working project other than bad reputation.

        Basically, it sounds to me that they aren't really claiming Blue Pill is "undetectable" - only that it is undetectable by one-click idiot-proof software that is run under conditions unlikely to be seen in the wild. I see no reason why the detection team would be prevented from using a boot CD to examine the contents of the hard drive, for example, perhaps even loading their OWN virtual machine to virtualize the malware-infected system and monitor for suspicious activity. I see it as completely fair game.
        =Smidge=

          • Re:More Laptops (Score:5, Informative)

            by dgatwood (11270) on Friday June 29 2007, @02:21PM (#19691807) Journal

            There's another reason for not consuming huge amounts of CPU. The reason is fairly obvious once you think about it hard enough.

            The simple test for a rootkit that puts the computer into a virtual machine (I'm assuming that's happening here) is to test for the performance impact of a VM. If you monopolize the CPU (disable interrupts to prevent anything else from being scheduled, etc.) and run some complex processing for several seconds, you would be able to easily detect the difference in time needed to complete the operation (assuming that all of the computers are otherwise configured identically).

            Such a test, while workable in theory, is not workable in real-world practical use, and thus should not be allowed. Putting a time limit on detection prevents such theory-only tests from succeeding. The same for other impractical tests like scanning the entire surface of the disk for signatures, doing comparisons of expected versus actual disk I/O performance to look for virtualized hard drives, etc.

      • Re:More Laptops (Score:5, Funny)

        by joebok (457904) on Friday June 29 2007, @01:42PM (#19691229) Homepage Journal
        Rutkowska should also think about the reward: "If we're wrong, she keeps the laptop." Who the hell wants a laptop infected with undetectable malware?

    • Ob Princess Bride (Score:5, Funny)

      by The_Wilschon (782534) on Friday June 29 2007, @01:05PM (#19690747) Homepage
      "You guessed wrong."
      "You only think we guessed wrong. That's what's so funny! We switched laptops when your back was turned! Ha ha! You fool! You fell victim to one of the classic blunders! The most famous is never get involved in a land war in Asia, but only slightly less well-known is this: never go in against three high-profile security researchers when a laptop is on the line! Ahahahahaha! Ahahahaha! Ahaha-"
      "And to think, all that time it was your laptop that had malware."
      "They both had malware. I spent the last few years building up an immunity to blue pills."

  • Cunning Plan (Score:5, Funny)

    by sam_paris (919837) on Friday June 29 2007, @12:44PM (#19690483)
    She should say she installed it when in actual fact she didn't...
     
    Then snigger while these guys spend hours scratching their huge domed craniums wondering how she did it.

  • How to win the challenge (Score:4, Insightful)

    by pickyouupatnine (901260) on Friday June 29 2007, @12:45PM (#19690485) Homepage
    Don't install root-kit on either one! ;) No seriously now, if all she was allowed to do was touch one of them.. and both laptops had the same exact everything else, then it should be simple to find ANYTHING that was added to either one. But maybe I'm being naive.

    • Re:How to win the challenge (Score:5, Interesting)

      by Overzeetop (214511) on Friday June 29 2007, @01:06PM (#19690759) Journal
      That was my thought, too.

      I think they should have her set it up, then give the two laptops to a pair of teenage girls for 3 weeks with $300 to spend on any software they choose and an unencumbered internet connection. Then have them search the two. Think of it as two decks of cards, but shuffling them before you try to find the differences.

  • "If she has any particular requests, we'll almost certainly grant them," he added.
    To be successful, I can think of a couple requests. One would just be to have more than one other non-infected computer. I could do nothing to the computers and randomly pick one, thus being right. I suppose that's obvious though. Maybe have several trial runs.

    Another obvious thing I would request is that different services software be installed (and running) on the laptops. Like maybe put MySql on one running as a service and PostGres on the other. That way they can't do something as ridiculously simple like a memory or CPU profiler to find out which one is using up (all beit small) more CPU resources & memory. That seems to be the strategy of the challenging team:

    Matasano's Ptacek, who has spent a lot of time studying Rutkowska's work, said the challenge team will compare the behavior of the system to known norms to find the presence of Blue Pill.
    But how many times do you approach a computer that's infected & have all the behaviors of that machine mapped out? I think the real world answer to that is never. So perhaps the name of the "100% undetectable rootkit" will have to be "100% undetectable in the wild rootkit" since most of us have software on our machines (hell, even World of Warcraft did this) and not even us (the people who installed it) can adequately predict what its going to do. I guess one could always make a rootkit that (given the priviledges) targets a host process deep within a host tree and inserts itself into it. You CPU scheduler would simply be running a thread of a trusted set of processes but unless you had a behavior/benchmark for each process of that tree, you'd be hard pressed to figure out it is host to a virus. That said, I think it's entirely possible to create a nearly 100% undetectable rootkit as long as there are unknown & unprofiled processes running on that machine at the time. Just one more reason to only use open source, I guess!

  • not a fair test (Score:5, Insightful)

    by waspleg (316038) on Friday June 29 2007, @12:50PM (#19690559) Homepage Journal
    this is clearly not a fair test, no one installs rootkits on virgin installs, also giving a small set of laptops means they have a much larger chance of just guessing which one even if they're wrong from their analysis, and if the rootkit is the only thing that is on it besides an OS how hard would that be to find? look at the file access dates? with no other software installed this should be trivially easy to find.

    now if they wanted to test on an E-machine .. which already comes pre-loaded with malware to wehre they'd have to actually look for blue pill code.. that might be a little more balanced and realistic since virtually all consumer pc's have some form of virus or malware as people have no clue what it is or what it does and they like their animated mouse icon even if it's stealing their CC#'s for african nationals.

  • Timing Analysis (Score:3, Informative)

    by kmsigel (306018) * on Friday June 29 2007, @01:00PM (#19690691)
    I saw her talk at BH last year and thought it was very interesting. When it came to detection, however, she waved her hands a bit and claimed that a hypervisor could always alter anything in the PC that had to do with timing so that the OS would always think that the "normal" amount of time had passed for whatever operation it might be trying to time. The idea is that an instruction that the hypervisor intercepts will take longer than the native instruction, and you can detect that. The obvious way to do this is to use the RDTSC (read time stamp counter) instruction, which gives you CPU clock speed precision. The hypervisor can, however, change what the RDTSC instruction returns and therefore makes this timing method useless.

    There are many other sources of timing information in a computer. Serial ports, parallel ports, USB ports, ethernet ports, IO space reads and writes, disk operations, the RTC (real-time clock), etc. I haven't thought too hard about using any of these things in particular, but I would be very surprised if a hypervisor could alter the behavior of all of these things in such a way that they couldn't be used as an alternate source of timing information when determining if an instruction you suspect is being intercepted is taking "too long" or not.

  • The State Of The Challenge So Far (Score:5, Informative)

    by tqbf (59350) on Friday June 29 2007, @01:06PM (#19690763) Homepage

    Helu. I'm Thomas Ptacek, one of the four challenge team members --- Slashdot left out Dino Dai Zovi, who kicked this off by writing a virtualized rootkit at Matasano last year.

    Joanna has responded to our challenge [blogspot.com]. We invited her to stipulate any terms she deemed reasonable. She proferred:

    • Five (5) laptops instead of two (2), as a defense against lucky guessing.
    • We can't crash the machines in the process of testing.
    • We can't spike the CPU on the machine for more than one (1) second.
    • We have to open source our detector, and she'll open source her rootkit.
    • We have to arrange to have her paid between $384,000 and $416,000, and wait six months.

    You can probably predict our response [matasano.com].

    Here's where it stands: all parties agree that by Black Hat '07, Blue Pill will not be in a state where it is hard to detect. Our detection techniques are likely to detect Blue Pill at Black Hat. Blue Pill requires six months of engineering time to get to a state where Joanna is confident that we can't detect it.

    Here's why you care: a few weeks ago, Microsoft decided that Vista Home would not allow virtualization, in part because of the threat of virtualized malware. To the best of our knowledge, there have been two (2) real hypervisor rootkits ever produced: Joanna's Blue Pill, and Matasano's Vitriol. Neither has ever been seen in the wild, because neither has been released to the public. Meanwhile, our team is preparing to demonstrate at Black Hat this year that hypervisor malware is actually even easier to detect than the kernel malware operating systems like Vista are already exposed to.

    Joanna's Blue Pill work, along with all the rest of her work (check out this project [matasano.com], where she turns AMD security hardware against forensics devices), is top-notch. In a weird, secretive space like security, this is how science gets done. Joanna chooses a side: it's possible to make undetectable malware. We square off on the opposite side. Then we debate it using code, presentations, papers, and I guess Slashdot stories. Hopefully, in the end, we all learn something.

    Hope this stays interesting for everyone. Thanks for paying attention!

  • Virii and RootKits (Score:5, Interesting)

    by purduephotog (218304) <hirschNO@SPAMinorbit.com> on Friday June 29 2007, @01:11PM (#19690815) Homepage Journal
    I have been repairing computers for friends/coworkers for some time and Rootkits scare me. I run the MS tools, the blacklight, the A2Free, the hive comparators.... and pray that I'm not missing something. It's either that or re-install their OS, and since they come with DELL OEM licenses before Dell shipped CDs, that's a crapshoot.

    The last machine I worked on actually had 'new' virii on them, which went off to AVira and Norton as a 'new' virus and was included in the next days updates. Insane.

    My brother in law wants a new computer because he no longer trusts his disk - it's been infected so many times that he figures it's easier to get a new system (I've reimaged it several times to fix the problems). I keep pointing out that it only takes one infection to get ruin the new computer, but he's adamant ...

    Why can't we just get along...

    (and don't tell me to put Ubuntu on peoples laptops...)
  • If I were her, I would put Blue Pill on both machines. This has two advantages for her: First, the examiners' obvious strategy of comparing runtime aspects (CPU %, execution time, IO, etc) between the two machines fails, because now both machines incur the VM overhead penalty, and second, if the examiners pick out one of the machines as infected, she can 'prove' them wrong by showing the infection on the other one (given the contest rules of one clean machine, one infected machine). It's worth noting that that's not a real proof, because if the examiners really can deduce the presence of Blue Pill, then they could just show that both are infected. But this strategy definitely defeats the 'compare execution' plan that the examiners have said they are going to use.

  • Debunking Blue Pill myth (Score:5, Informative)

    by mapkinase (958129) on Friday June 29 2007, @01:17PM (#19690897) Homepage Journal
    I found this useful:

    Debunking Blue Pill myth [virtualization.info]

  • A Duck (Score:5, Funny)

    by fogbrain99 (1122057) on Friday June 29 2007, @01:32PM (#19691115)
    Just weigh the machines. The heavier one would have to have the extra files and stuff.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.