Rutkowska Faces 'Blue Pill' Rootkit Challenge

Controll3r writes "Three high-profile security researchers — Thomas Ptacek of Matasano Security, Nate Lawson of Root Labs and Symantec's Peter Ferrie — have issued a challenge to Joanna Rutkowska to prove that her 'Blue Pill' technology can create "100 percent undetectable" malware. The Black Hat 2007 challenge will feature two untouched laptops of the make/model of Rutkowska's choosing for her to plant Blue Pill on one. From the article: 'She picks one in secret, installs her kit, sets them up however she wants,' Lawson explained in an interview. 'We get to install our software on both and run it, [and] we point out which machine [Blue Pill] is on. If we're wrong, she keeps the laptop.' No word on whether Rutkowska will accept the challenge."

More Laptops

[stinerman]

So they have a 50/50 shot of getting it right. How about something more along the lines of 10 laptops? And then they have to say what tipped them off.

Re:More Laptops

[jonnythan]

Rutkowska already thought of that (as well as a couple of other things):

http://theinvisiblethings.blogspot.com/ [blogspot.com]

"First, we believe that 2 machines are definitely not enough, because the chance of correct guess, using a completely random (read: unreliable) detection method is 50%. Thus we think that the reasonable number is 5 machines."

She then goes on to detail how at least one but no more than four of the machines are infected and that the detection method must be automatic and return only "infected" or "not infected" as output.

There are some other details she proposes, some of which are head-scratchers such as "The detector can not consume significant amount of CPU time (say > 90%) for more then, say 1 sec."

Whole thing sounds pretty interesting though :)

Re:More Laptops

[jonnythan]

From the comments section, Nate Lawson has posted his response to Joanna:

http://rdist.root.org/2007/06/28/undetectable-hype rvisor-rootkit-challenge/ [root.org]

Re:

[Sancho]

If Joannas time estimate is correct, its about 16 times harder to build a hypervisor rootkit than to detect it. Id say that supports our findings.

What a bullshit response.

First, they say that they are trying to debunk her claim: that it is possible to make a rootkit which is undetectable from within the system. Now they're trying to say that it's "good enough" for it to be 16 times harder to build the rootkit than to detect it.

Nope.

If Joanna is right, and Blue Pill is undetectable through automated processes, then it could take 3 years to develop--the results would still be devestating once it was released.

Also, I imagine that there are many more p

Re:More Laptops

[Billosaur]

I think this calls for a double-blind experiment with a larger sample size, say 20 laptops. 10 laptops are held out and left untouched; the other ten will either be infected with Blue Pill or not based on a random coin flip. Then it would not just be a question of detecting it, but detecting it to a sufficient degree to put it beyond chance. A 50-50 shot is just too high to be regarded as accurate.

Re:More Laptops

[rtb61]

That test model is still not correct. What has to happen is that every laptop has to have the contents of it's hard disk drive changed after the test has commenced. It should reflect the real world, there are not identical laptops in real world usage. I mean anybody can do the check they are talking about, simply pull out the hard drives and do a bit by bit comparison, big deal. A real world test reflects that the laptops are running different software and different configurations and have different data stored. Ideally it should be done on PCs where you also have different hardware and drivers.

Re:More Laptops

[Smidge204]

The counter-requirements sound suspiciously lopsided to reduce the chance of detection.

In summary:

-Multiple machines. Fine.

-"bluepill.exe and bluepill.sys" wil be installed on ALL machines. Okay, I guess they don't want them to just check the drive's free space to see if extra files were added?

-ALL machines will have the driver loaded, but not necessarily be "infected". Is that a reasonable condition for a rootkit "in the wild"? If the rootkit is doing it's job you shouldn't be able to detect the driver being loaded in the first place.

-Detector.exe must be completely autonomous and return only a single flag value to indicate infection. This sounds like a completely unreasonable requirement, since even rudamentary human review of the results is a realistic real-world scenario.

-The detector can not cause system crash or halt the machine. I fail to see why this would be a requirement, unless you argue that whatever system that might be tested is mission critical and can't afford ANY unplanned downtime... unexpected crashes are bad, but shouldn't be an instant-lose condition.

-The detector can not consume significant amount of CPU time. Why not? If the user is scanning for a rootkit, they probably understand it's a fairly serious issue and should be willing to devote resources to it. Inconvenient? Sure, but again not a condition of failure.

-Compensation for working on the project. I can understand this, but really... even if Blue Pill fails to stay hidden, they "win" 6 months of full employment with no repercussions for failure to deliver a working project other than bad reputation.

Basically, it sounds to me that they aren't really claiming Blue Pill is "undetectable" - only that it is undetectable by one-click idiot-proof software that is run under conditions unlikely to be seen in the wild. I see no reason why the detection team would be prevented from using a boot CD to examine the contents of the hard drive, for example, perhaps even loading their OWN virtual machine to virtualize the malware-infected system and monitor for suspicious activity. I see it as completely fair game.
=Smidge=

Re:

[Chandon Seldon]

I see no reason why the detection team would be prevented from using a boot CD to examine the contents of the hard drive, for example, perhaps even loading their OWN virtual machine to virtualize the malware-infected system and monitor for suspicious activity.

It sounds like the rootkit is designed to be undetectable for stock anti-virus software - i.e. the most likely conditions to be found in the wild. Even the CPU usage requirement makes sense there - once you consider 100 detection modules for different

Re:More Laptops

[dgatwood]

There's another reason for not consuming huge amounts of CPU. The reason is fairly obvious once you think about it hard enough.

The simple test for a rootkit that puts the computer into a virtual machine (I'm assuming that's happening here) is to test for the performance impact of a VM. If you monopolize the CPU (disable interrupts to prevent anything else from being scheduled, etc.) and run some complex processing for several seconds, you would be able to easily detect the difference in time needed to complete the operation (assuming that all of the computers are otherwise configured identically).

Such a test, while workable in theory, is not workable in real-world practical use, and thus should not be allowed. Putting a time limit on detection prevents such theory-only tests from succeeding. The same for other impractical tests like scanning the entire surface of the disk for signatures, doing comparisons of expected versus actual disk I/O performance to look for virtualized hard drives, etc.

Re:

[aethogamous]

The reason is fairly obvious once you think about it hard enough.

I think everything is fairly obvious once you think about it hard enough ...

Re:

[Zeinfeld]

The problem with using identical machines is that it is rather easy to use simple tests that are not practical in the general case. For example, the amount of disk space allocated. If you know that the machines are precisely identical you can simply look for the one with most disk space free.

I think you need to have another step in place so that the detection crew don't have any more information available than would be available in a real world situation where they are faced with a random box that might o

Re:

[Smidge204]

I'd say her requirements are reasonable counter-balances to the presence of an identical "control" in the experiment.

Except nowhere was it suggested that the machines would be compared to each other, or even another machine or system image, so there is no "control" in this case either.

Your average home user won't (and probably isn't qualified to) do manual inspection of results. Not even once in a while, certainly not on a routine basis as would be required to protect a real system.

Even so, such an "idiot l

Re:

[Sancho]

Except nowhere was it suggested that the machines would be compared to each other, or even another machine or system image, so there is no "control" in this case either.

Nowhere was it suggested that they wouldn't be compared to each other. In fact, for the purposes of the challenge, the challenger didn't even say that the software itself would detect bluepill--he said, "We get to install our software on both and run it, [and] we point out which machine [Blue Pill] is on." My first reaction to that sentence was that there would be human interpretation as to the results--for example, they could drive up the CPU and then watch how many context switches each computer can pe

Re:More Laptops

[joebok]

Rutkowska should also think about the reward: "If we're wrong, she keeps the laptop." Who the hell wants a laptop infected with undetectable malware?

Re:

[geekoid]

no kidding...you would put them down for a minute and then be like "Crap, which one has undetected malware?"

The only way it is truly undetectable is if it does nothing, and takes up cluster space that the machine has allocated, but not actually filled.

Re:

[ZoneGray]

I dunno.... imagine two PC's; one has a default Vista installation, and the other has undetectable malware that periodically contacts its creator. Is there really any difference between them?

Re:

[Hoi Polloi]

Reformat?

Re:More Laptops

[AndrewHowe]

I'm in ur reformat command, virtualizing ur operations

Re:

[maxwell demon]

Well, it's undetectable for software not knowing what to search for. It's of course detectable by the author of the root kit, and I'm sure a requirement will be to demonstrate that the computer really is infected, otherwise she could simply infect none, and then simply decide which ones are "infected" after the fact.

If there's no such requirement of proof, I'll happily offer a test of my completely undetectable root kit. And I'll not even demand the source of the detector program (I'll also not offer mine).

Re:

[Tatarize]

If the detector used 100% cpu speed on multiple identical labtops. At the end of detection, you could simply see which one processed the most. This would result in the ones with the added blue pill having given this freaky detection manner the fewest clock cycles.

Re:

[griffjon]

I think 2 laptops is fine, as long as the detection process gives evidence of the malware, beyond proclaiming (guessing) which one is infected.

Re:

[dgatwood]

More than that, even. The very act of virtualizing the OS will steal cycles even if the rootkit itself is idle.

Ob Princess Bride

[The_Wilschon]

"You guessed wrong."
"You only think we guessed wrong. That's what's so funny! We switched laptops when your back was turned! Ha ha! You fool! You fell victim to one of the classic blunders! The most famous is never get involved in a land war in Asia, but only slightly less well-known is this: never go in against three high-profile security researchers when a laptop is on the line! Ahahahahaha! Ahahahaha! Ahaha-"
"And to think, all that time it was your laptop that had malware."
"They both had malware. I spent the last few years building up an immunity to blue pills."

Re:

[Negadecimal]

Thanks... I needed a good laugh today!

Re:Ob Princess Bride

[Dachannien]

I spent the last few years building up an immunity to blue pills.

You're going to regret that decision in another thirty years.

Re:

[tqbf]

If 5 laptops is what it takes to get this challenge off the ground, then we'll do 5 laptops.

However, I don't know what the number of laptops has to do with removing luck from the challenge. If she wants to reduce our likelihood of a lucky guess to below 3%, we can use repeated trials on the same hardware (with Joanna's team stipulating how cleanup after each trial is to occur) to the exact same effect.

Re:

[DamnStupidElf]

It's straightforward to detect *any* malware in this setup. If the hosts of the challenge can't find it, they deserve to lose more than just a laptop.

Step one: Pull the BIOS chips or stick a reader on them. Compare the images between the two laptops. Obviously flash them to the same revision beforehand.

Step two: Pull the hard disks and diff them in another system.

Step three: If the BIOS images are the same on the first two computers, put the drives in new computers of the same model and ask the rootki

Re:

[Aldur42]

I was under the impression that a rootkit was only supposed to be undetectable from _within_ the system. i.e. Overwriting ls with your version that hides your secret malicious files. Pulling out hard drives and placing them inside of other systems would not be a reasonable method of rootkit detection.

Re:

[WoLpH]

But it tells you what to look for when creating the rootkit detector.

c'mon...

[cosmocain]

...a 50 percent chance? do that with about 30 laptops to rule out that the infected laptop is picked by pure luck. ;)

Re:

[PrescriptionWarning]

Ahhh but what if she install on both, and they say only one has it....

or what if she installs on non, and they say one or both has it....

kinda makes me feel like watching Princess Bride again :)

Re:

[PrescriptionWarning]

no.... ... they'd be expecting that.

Re:

[anagama]

Stick w/ 2 laptops but require X number of consecutive right answers. For example, there's a 1/32 chance they get 5 consecutive right answers by chance. Or get 5 laptops and go three rounds -- 1/125 chance. Obviously this wouldn't eliminate luck, but it would make it much less a part of the equation. Be a lot cheaper than 50 laptops too.

Cunning Plan

[sam_paris]

She should say she installed it when in actual fact she didn't...
 
Then snigger while these guys spend hours scratching their huge domed craniums wondering how she did it.

Re:

[Lockejaw]

I assume they have some plan for making her show that her rootkit really is on one of them after the guess is made.

Re:

[halcyon1234]

Simple enough. Insist on videotaping the install or something similar.

Of course, if she still wanted to cheat, just install this:

rm -rf $ARGV[0]

Detect that!

Re:

[Joebert]

Geek or not, that comment probably just lost any smidgen of a chance you had of ever getting laid.

How to win the challenge

[pickyouupatnine]

Don't install root-kit on either one! ;) No seriously now, if all she was allowed to do was touch one of them.. and both laptops had the same exact everything else, then it should be simple to find ANYTHING that was added to either one. But maybe I'm being naive.

Installed on both would be best

[Shivetya]

Activate it on both and see if they can tell.

and to make it even more fun, put something extra on them too.

Re:How to win the challenge

[Overzeetop]

That was my thought, too.

I think they should have her set it up, then give the two laptops to a pair of teenage girls for 3 weeks with $300 to spend on any software they choose and an unencumbered internet connection. Then have them search the two. Think of it as two decks of cards, but shuffling them before you try to find the differences.

Re:

[Bandman]

Like they wouldn't have to reinstall the OS after THAT.

Re:How to win the challenge

[Hoi Polloi]

Make sure it is girls though. If you give it to a pair of teenage boys by the end it'll be full of porn and chat logs filled with "FAG!" comments.

Re:

[suv4x4]

I think they should have her set it up, then give the two laptops to a pair of teenage girls for 3 weeks with $300 to spend on any software they choose and an unencumbered internet connection.

If you do that, you can bet at the end both laptops would have the Rutkowska's rootkit.

Never mind it's not in the wild, never mind it's not infectious: trust a teenage girl with 3 weeks and unencumbered internet access, and she'll find a way to get infected with it.

Re:

[ikioi]

"...it should be simple to find ANYTHING that was added to either one."

While it might not always have been simple, it was at least in theory possible to find anything installed on a computer prior to hardware virtualization technologies [wikipedia.org] being introduced. The crux of this new challenge is that the newer chips from Intel [intel.com] and AMD [amd.com] have support for cpu-based virtualization. In other words, they implemeted some of the hard parts of VMWare in the processor itself.

With one of these newer processors, the h

Re:

[megaditto]

That's why she needs to 'touch' both in some way, yet activate the exploit on only one of them, then ask them which one it is.

It is trivial to figure out if something has changed, but it's much harder to determine if the change is malicious.

Actually, this is good for the white hats.....

[Col. Blackwolf]

She installs Blue Pill, and if they detect it, great. If not, she has to show them it's there to prove they missed it, and they get a clue how to find it.

Either way, they can come out ahead here...

Re:

[Timesprout]

Not really. In this scenario they are looking for it specifically and thats more than half the battle. I'm pretty sure if they just took their standard approach they may well find nothing amis with the Blue Pill machine. As they point out there are many possible tell tales for Blue Pill but does their standard tooling already include these checks? With the 2 machine test they are proposing it would be almost impossible not to find the tainted machine through sheer trial and error if nothing else.

Re:

[Punto]

not really.. all she has to do is remotelly open a window with some horse porn

Re:

[cp.tar]

Didn't she offer to open-source the code anyway? With the code, they can get a whole bunch of clues.

Obvious Request I Can Think Of

[eldavojohn]

"If she has any particular requests, we'll almost certainly grant them," he added.

To be successful, I can think of a couple requests. One would just be to have more than one other non-infected computer. I could do nothing to the computers and randomly pick one, thus being right. I suppose that's obvious though. Maybe have several trial runs.

Another obvious thing I would request is that different services software be installed (and running) on the laptops. Like maybe put MySql on one running as a service and PostGres on the other. That way they can't do something as ridiculously simple like a memory or CPU profiler to find out which one is using up (all beit small) more CPU resources & memory. That seems to be the strategy of the challenging team:

Matasano's Ptacek, who has spent a lot of time studying Rutkowska's work, said the challenge team will compare the behavior of the system to known norms to find the presence of Blue Pill.

But how many times do you approach a computer that's infected & have all the behaviors of that machine mapped out? I think the real world answer to that is never. So perhaps the name of the "100% undetectable rootkit" will have to be "100% undetectable in the wild rootkit" since most of us have software on our machines (hell, even World of Warcraft did this) and not even us (the people who installed it) can adequately predict what its going to do. I guess one could always make a rootkit that (given the priviledges) targets a host process deep within a host tree and inserts itself into it. You CPU scheduler would simply be running a thread of a trusted set of processes but unless you had a behavior/benchmark for each process of that tree, you'd be hard pressed to figure out it is host to a virus. That said, I think it's entirely possible to create a nearly 100% undetectable rootkit as long as there are unknown & unprofiled processes running on that machine at the time. Just one more reason to only use open source, I guess!

Re:

[inKubus]

If it works, she should install the Blue Pill on both boxes, but a dormant version on one. Because they will probably try to use some trickery like a whole drive checksum or something to see which box was "more modified" using statistical analysis.

Re:

[jcuervo]

What If those read() calls lied?

How would they lie if you plugged it into my laptop with a USB drive enclosure?

Unless I'm already infected. OH MY GOD, IT'S LIKE SUPER-AIDS!

Re:

[steelfood]

Technically, I think she can install anything she wants on either machine, so she needs only to randomize the software she installs.

But yeah, there should definitely be more than two machines, perhaps one out of five or ten machines. And each machine should have different hardware configurations as well.

Or...she could load both of them up with so much malware that they'll throw their arms up in disgust and quit, which is the same behavior I've seen from some of the malware scanning products out there.

Re:

[SanityInAnarchy]

Another obvious thing I would request is that different services software be installed (and running) on the laptops. Like maybe put MySql on one running as a service and PostGres on the other.

Better yet: Let each laptop (out of maybe 20 or so, instead of just two) be used by someone for maybe a few days or a week leading up to the test. Rutkowska is the only one allowed to (deliberately) install a rootkit, or any kind of malware, but everyone else is allowed to do pretty much whatever they want. Then, let

Re:

[SanityInAnarchy]

Why can't you load a rootkit into main memory from a disc and remove the disc?

I guess you could. I think that defeats the point of the exercise, though. Many Windows computers get rebooted daily; even my Kubuntu box does, to save power, and so I don't have to mess with hibernation. The point of a rootkit is to stay there, undetected, probably for a long time, in order to do something permanent.

It's a cat and mouse game just like all other security.

That's the point. I'm not trying to prove that any rootki

Re:

[Alchemar]

Turn off the firewall and surf several known malware sites with both computers. They said she is allowed to configure them the way she wants. If they run their scanners and find 100+ hits on both laptops, it will be very difficult to detect which one has the rootkit based on resource consumption.

uh what's the point?

[TheLink]

Most malware nowadays is so obvious (after all they're there to do something - mail spam, click spam, DoS etc) and still most people hardly notice them.

Also any such rootkit wouldn't work if the O/S starts off virtualized in the first place so that the rootkit would be "trapped". Then you can scan for the rootkit from "outside".

Of course this assumes no bugs in the virtualization stuff. But as we know there are tons of bugs in CPUs ;).

I hope she accepts the challenge

[OscarGunther]

It would either put paid to the security software vendors who may claim more than they can deliver or it will serve as a caution to overly-ambitious columnists. Can't-miss proposition in terms of its entertainment value.

Only 2 laptops?

[Braino420]

Why not use more laptops so they have a smaller chance of GUESSING the right one? Or do they have to prove why they think its one over the other? In that case why use more than one?

not a fair test

[waspleg]

this is clearly not a fair test, no one installs rootkits on virgin installs, also giving a small set of laptops means they have a much larger chance of just guessing which one even if they're wrong from their analysis, and if the rootkit is the only thing that is on it besides an OS how hard would that be to find? look at the file access dates? with no other software installed this should be trivially easy to find.

now if they wanted to test on an E-machine .. which already comes pre-loaded with malware to wehre they'd have to actually look for blue pill code.. that might be a little more balanced and realistic since virtually all consumer pc's have some form of virus or malware as people have no clue what it is or what it does and they like their animated mouse icon even if it's stealing their CC#'s for african nationals.

Re:

[tqbf]

If Joanna wants to stipulate that we pick Blue Pill out of a morass of pre-installed kernel and userland rootkits, we would of course agree to that term. Neither Joanna's team nor ours seems to think that's a meaningful addition to the test. Like the Vitriol rootkit Dino Dai Zovi wrote for Matasano last year, Joanna's rootkit lives in a special slice of memory inside of a special execution context carved out by the hardware. It is unlike any other X86 rootkit in how it intercepts control of the platform and

No file access dates.

[Burz]

The test is for in-memory exploits which do not get written to disk. The malware may not persist through a reboot, but many crucial systems have long uptimes.

comparison

[TheSHAD0W]

If you're talking about two identical laptops, I think the test is unfair. You'd probably be able to determine which laptop was infected simply by measuring boot times - and this sort of test wouldn't be practical in the real world. (I suppose the attacker could make it more like a real-world test by installing different sets of applications on each machine.) A proper test would include several laptops of different manufacture and somewhat different hardware specs.

easier than that

[r00t]

Check how much RAM appears to be installed and how much is used by the OS.

To win, she needs laptops that are NOT identical.

Not quite 50/50

[madsheep]

OK guys I don't think it's going to be as simple as "picking" which laptop they think it is on. I would assume they have to provide some backup/proof as to what they detected and how they know her stuff is on that laptop. This isn't Russian Roulette of computing. The point is also to backup their skills and more importantly their products. This is to get more press and make more $ and I think it's great.

It's time to put your money where your mouth is..

Re:

[anagama]

I would assume they have to provide some backup/proof as to what they detected and how they know her stuff is on that laptop. This isn't Russian Roulette of computing.

You are assuming elements of the challenge that aren't there. That is a sure setup to lose.

Imagine you're in a bar with your friends. You ask the waitress for three glasses of water and two shot glasses of water. You say to a friend, "I'll bet you a drink that I can down three 12oz glasses of water before you can down those two shot g

Re:

[hotdiggitydawg]

Actually, it's a win-win. With all that water, your "friends" know that it won't be long before you have to drain the lizard, so they can disappear while you're in the bathroom, head off to another bar and actually have a fun night out, without your sorry "I drink water in a bar" ass. But of course, you still get the free drink.

Re:

[madsheep]

Yea, right, this is exactly the same. Man why didn't I think of that. I never think before I post. I'm sure they will just look like complete asses and make a mockery of their respective companies if they cannot reasonably prove their decisions.

A different challenge for Rutkowska

[HaiLHaiL]

grits?

Timing Analysis

[kmsigel]

I saw her talk at BH last year and thought it was very interesting. When it came to detection, however, she waved her hands a bit and claimed that a hypervisor could always alter anything in the PC that had to do with timing so that the OS would always think that the "normal" amount of time had passed for whatever operation it might be trying to time. The idea is that an instruction that the hypervisor intercepts will take longer than the native instruction, and you can detect that. The obvious way to do this is to use the RDTSC (read time stamp counter) instruction, which gives you CPU clock speed precision. The hypervisor can, however, change what the RDTSC instruction returns and therefore makes this timing method useless.

There are many other sources of timing information in a computer. Serial ports, parallel ports, USB ports, ethernet ports, IO space reads and writes, disk operations, the RTC (real-time clock), etc. I haven't thought too hard about using any of these things in particular, but I would be very surprised if a hypervisor could alter the behavior of all of these things in such a way that they couldn't be used as an alternate source of timing information when determining if an instruction you suspect is being intercepted is taking "too long" or not.

Given 2 identicle computers

[jshriverWVU]

Possible solutions:

1. create dd dumps of both drives and run diffs on the images. Added benefit of also seeing if any lower level filesystem stuff was changed and not just files.

2. find / -type f -exec md5sum {} \; compare md5sums to find which files are different. Though this will cause a problem with storing the md5, maybe use a ram drive or exclude /media or /mnt.

Re:

[jshriverWVU]

That's why I would never run a cleaning system from inside an infected system. When I do commands like I suggested dd/md5sum/ etc.. I do it while running Knoppix as to have a running system completely independent of the system on the hard drive and treat the discs as raw data. Thought this or similar concepts where common-place in recovery efforts.

The State Of The Challenge So Far

[tqbf]

Helu. I'm Thomas Ptacek, one of the four challenge team members --- Slashdot left out Dino Dai Zovi, who kicked this off by writing a virtualized rootkit at Matasano last year.

Joanna has responded to our challenge [blogspot.com]. We invited her to stipulate any terms she deemed reasonable. She proferred:

• Five (5) laptops instead of two (2), as a defense against lucky guessing.
• We can't crash the machines in the process of testing.
• We can't spike the CPU on the machine for more than one (1) second.
• We have to open source our detector, and she'll open source her rootkit.
• We have to arrange to have her paid between $384,000 and $416,000, and wait six months.

You can probably predict our response [matasano.com].

Here's where it stands: all parties agree that by Black Hat '07, Blue Pill will not be in a state where it is hard to detect. Our detection techniques are likely to detect Blue Pill at Black Hat. Blue Pill requires six months of engineering time to get to a state where Joanna is confident that we can't detect it.

Here's why you care: a few weeks ago, Microsoft decided that Vista Home would not allow virtualization, in part because of the threat of virtualized malware. To the best of our knowledge, there have been two (2) real hypervisor rootkits ever produced: Joanna's Blue Pill, and Matasano's Vitriol. Neither has ever been seen in the wild, because neither has been released to the public. Meanwhile, our team is preparing to demonstrate at Black Hat this year that hypervisor malware is actually even easier to detect than the kernel malware operating systems like Vista are already exposed to.

Joanna's Blue Pill work, along with all the rest of her work (check out this project [matasano.com], where she turns AMD security hardware against forensics devices), is top-notch. In a weird, secretive space like security, this is how science gets done. Joanna chooses a side: it's possible to make undetectable malware. We square off on the opposite side. Then we debate it using code, presentations, papers, and I guess Slashdot stories. Hopefully, in the end, we all learn something.

Hope this stays interesting for everyone. Thanks for paying attention!

Re:

[AMuse]

I haven't watched too much of this debate so far, but assuming you're being honest with your post (hey, I haven't background checked you!) I want to extend some sincere Kudos to you and her for having this kind of competition in the security industry, diametrically opposed, and NOT resorting to childish name-calling or logical fallacies.

I see a ton of research teams contradicting each other on a daily basis online and often they take things very personally. It brings me a rare bit of optimism to see two tea

Re:

[tqbf]

You should become a secure programmer, which is the rate she's working from. There aren't enough secure programmers to go around.

Re:

[swillden]

"We would expect an industry standard fee for this work, which we estimate to be $200 USD per hour per person." I have never heard of a programmer being paied 200$ an hour... Perhaps I should have stayed in Computer Engineering rather than switch to Electrical?

<shrug> I'm often billed out at more than $200 per hour as a programmer skilled in security. My employer keeps most of that, of course. Were I working freelance I couldn't bill that much, but I could easily get $100, and I'm nowhere near as good as Rutkowska and her colleagues. My company has plenty of people that are in her league, and they bill out at over $400 per hour.

Security engineering and research is a fairly well-compensated field, because it takes a certain kind of person and it requi

Virii and RootKits

[purduephotog]

I have been repairing computers for friends/coworkers for some time and Rootkits scare me. I run the MS tools, the blacklight, the A2Free, the hive comparators.... and pray that I'm not missing something. It's either that or re-install their OS, and since they come with DELL OEM licenses before Dell shipped CDs, that's a crapshoot.

The last machine I worked on actually had 'new' virii on them, which went off to AVira and Norton as a 'new' virus and was included in the next days updates. Insane.

My brother in law wants a new computer because he no longer trusts his disk - it's been infected so many times that he figures it's easier to get a new system (I've reimaged it several times to fix the problems). I keep pointing out that it only takes one infection to get ruin the new computer, but he's adamant ...

Why can't we just get along...

(and don't tell me to put Ubuntu on peoples laptops...)

Re:

[anagama]

(and don't tell me to put Ubuntu on peoples laptops...)

Put Kubuntu on these people's laptops.

Pfft. As if I would

[Colin Smith]

and don't tell me to put Ubuntu on peoples laptops...

ITYF Fedora much easier to support.

HTH
 

Drinking cocoa

[Tony]

A guy walks into a doctor's office. His right eye is bloody and bruised. "Doc," he says, "I've got a problem. Every time I drink cocoa at home, my eye hurts."

The doctor, shocked at the condition of his new patient's eye, runs a gamut of tests, ruling out allergies or other clinical issues. Thinking the issue may be psychosomatic, he sits his patient at a table on which rests a tin of cocoa mix, a thermos of hot water, a cup, and a spoon. He invites the gentleman to mix up the cocoa and take a sip.

The man po

Re:

[geekoid]

Apparently you haven't been doing it long enough to know how to detect and defeat root kits.

or long enough to know it's Viruses.

Why don't you set their machine up correctly?
The only virus I have even had on my windows machines was one I compiled myself when I did security work.

Yes, I scan my system regularly.
Yes, I monitor my connection.
Yes, I have a router and firewall separate from my machines.
Also, my family isn't stupid, so when I explained the issues with email and links and banners, they starting usin

Re:

[purduephotog]

Errr, no, you misunderstand. I get them AFTER they've been infected. Not before. Well, not usually- like my Sister in Law and her constant re-infections. In her defense though, someone got in and a new 0 day virus was updated... aol=updates.exe Kinda interesting to find out you're responsible /included in the next round of antivirus updates.

I do instruct with proper firewalls, etc, but if they don't listen... and they now run nearly a dozen apps to keep the systems clean. Sounds like Over kill to me, b

A better strategy for Rutkowska

[igotmybfg]

If I were her, I would put Blue Pill on both machines. This has two advantages for her: First, the examiners' obvious strategy of comparing runtime aspects (CPU %, execution time, IO, etc) between the two machines fails, because now both machines incur the VM overhead penalty, and second, if the examiners pick out one of the machines as infected, she can 'prove' them wrong by showing the infection on the other one (given the contest rules of one clean machine, one infected machine). It's worth noting that that's not a real proof, because if the examiners really can deduce the presence of Blue Pill, then they could just show that both are infected. But this strategy definitely defeats the 'compare execution' plan that the examiners have said they are going to use.

Re:

[brunascle]

but then the whole thing would moot, since she wouldnt be following the rules. any results would be meaningless.

Re:

[igotmybfg]

I don't agree. If the examiners really can detect the rootkit, then they should be able to detect it twice. Also, in real world scenarios, the examiner (like a virus or malware scanning app) won't have access to two identical machines, one with, and one without.

Re:

[brunascle]

i guess it depends on the judge. what i was thinking was that if the test returns true for both machines, the judges will assume there's something wrong with the test and go back to the drawing boards.

Re:

[Have Blue]

The producers could defeat this by buying a brand new machine of the same configuration at retail and using that for the compare execution plan. It wouldn't be any more cheating than what you suggested.

OT: Slashdot IT slogan

[cant_get_a_good_nick]

The slogan for IT stories, as opposed to "news for nerds, stuff that matters" is

it is what it is

Hmm, weird to have a quote from "Boogie Nights" as the slogan for IT.

Debunking Blue Pill myth

[mapkinase]

I found this useful:

Debunking Blue Pill myth [virtualization.info]

Blue Pill and Windows?

[gEvil (beta)]

It should be really easy to detect which Windows machine has had the blue pill used on it--it's the one that's able to stay up for four hours.

A Duck

[fogbrain99]

Just weigh the machines. The heavier one would have to have the extra files and stuff.

which means that

[commodoresloat]

the other laptop is a witch!

If Blue pill was true

[geekoid]

then the same technology could be used for DRM.

Just use Computer Forensics!

[ettlz]

Like CSI, you know, dust the keyboards for prints.

Malware

[gmuslera]

She will lose. In both the antivirus will detect that Windows is installed, so both will have malware, blue pill or not.

Current climate...

[DimGeo]

I would be careful to work on such a challenge, if I were her :) . I suppose the best step for her would be to decline politely.

they should give her the software first

[anton_kg]

it's not clear if it's gonna be new software from Symantec or just the current version of antivirus.
If it's something new, they should give her a change to play with it first.

Re:Rutkowska is such a babe.

[u38cg]

Really? [wikipedia.org]

Re:

[turbine216]

god i wish i had mod points.

it's creepy shit like this that makes me love slashdot.

Re:

[itzac]

It is possible to circumvent any single method of detection. And it's even possible to circumvent circumvention detection. In the real world this would become an arms race: security experts would find a way to detect the root-kit, and the next one would be able to evade that method of detection. Eventually, however, the hypervisor would spend enough cycles evading detection that the user would get tired of his bogged down machine and would just reinstall the OS.

I don't disagree with her theory, but in pra