Last year I wrote a blog on Joanna Rutkowska's Blue Pill attack. This week, at the annual Black Hat conference, several malware detection companies are taking a run at Blue Pill saying they can detect it. However, maybe the detection won't work.
In "Rutkowska Gets Last Laugh in Rootkit Cat-and-Mouse Game" eWeek lays out why a Matasano attempt to detect the rootkit failed.
In Searchsecurity.com's "Black Hat 2007: Rootkit hunters caught in cat-and-mouse game" they discuss the attempts by other companies to detect the Blue Pill attack. However, as the article notes the following:
"One of the methods Lawson outlined for detecting a virtualized rootkit involves observing changes in the Translation Lookaside Buffer (TLB), a cache in the CPU. When something causes a virtual machine to exit, the hypervisor leaves traces of its presence in the TLB. So, Lawson said, one way to detect a hypervisor rootkit would be to cause it to somehow exit, and then read the TLB and look for changes.
But, Lawson and Ptacek conceded, there's nothing stopping the malware author from writing a feature to detect the "rootkit detector," which Lawson said leads back to the familiar attacker-defender cat-and-mouse game. "
Bottom line: There is no good way to detect Blue Pill attacks. As one of the article's notes:
That's changing, though, Allan said, with virtualization headed toward ubiquity. "I think we'll see virtualization required in the future; used all the time. It's [already] used in legitimate software, as a feature to do something or other. It's used more and more in hardware and in different components." "
If you can't turn off virtualization, then caveat emptor.