Black Hat 2011

More Stories in this Series

The Undetectable Malware That Real Hackers Don't Seem to Want

LAS VEGAS -- Remember the Blue Pill? That was the undetectable rootkit that was all the talk at Black Hat five years ago. It seemed scary. The Blue Pill was one of a new breed of malicious programs that would slip themselves underneath the operating system in a virtual machine hypervisor and silently tamper with the computer's kernel in order to do their bad stuff.

Researchers even developed equally technical countermeasures to detect these sneaky attacks.

Five years ago, virtualized rootkits seemed like a very frightening possibility, but today not so much. Why? Because they're really hard to write, and other, easy-to-use technologies work just fine, thank you very much.

Alex Stamos, a founder of NCC Group's iSec Partners spends a lot of time investigating computer intrusions and he said that he's never seen a Blue Pill type rootkit in the real world -- even in the most technically sophisticated attacks.

"There's a lot of talks here at black hat about the race to ring zero, right. Of people going out and saying I wrote a better rootkit that you can't detect," he said at Black Hat this week. "It turns out that nobody in the real world actually does any of that stuff. You never see Blue Pills. You never see people doing hypervisor rootkits. You rarely see real state-sponsored attackers even going into the kernel"

When you start messing around with the Windows kernel, you're playing with fire, or in Windows terms, you're playing with the Blue Screen of Death. Software that works fine on Windows 7, might crash on Vista or XP. And a frantic call for IT support is just the kind of attention that sophisticated hackers want to avoid. So instead they write rootkits that run in usermode -- software that could be detected by programs running on the computer -- and they use a variety of tried and true tricks to make them hard to detect. They'll name their rootkit after a service that you're likely to see and they'll mixup way the software of put together so that it skirts antivirus detection, for example.

Blue Pill's author Joanna Rutkowska pretty much agrees with Stamos. "The traditional methods of system compromise (either via usermode or traditional kernelmode rootkits) still work just fine. Really, what new (gamechanging) OS protections against compromises have been added in the last 5 years to Windows or Mac?" she says.

For now at least, the Blue Pill is only something you see in the movies.

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is robert_mcmillan@idg.com

Subscribe to the Security Watch Newsletter

Comments