Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on August 2, 2007 9:41 AM.

The previous post in this blog was Provisioning factory.

The next post in this blog is Layered defenses get another plug.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« Provisioning factory | Main | Layered defenses get another plug »

Blue Pill - The attack that won't go away

Last year I wrote a blog on Joanna Rutkowska's Blue Pill attack. This week, at the annual Black Hat conference, several malware detection companies are taking a run at Blue Pill saying they can detect it. However, maybe the detection won't work.

In "Rutkowska Gets Last Laugh in Rootkit Cat-and-Mouse Game" eWeek lays out why a Matasano attempt to detect the rootkit failed.

In Searchsecurity.com's "Black Hat 2007: Rootkit hunters caught in cat-and-mouse game" they discuss the attempts by other companies to detect the Blue Pill attack. However, as the article notes the following:
"One of the methods Lawson outlined for detecting a virtualized rootkit involves observing changes in the Translation Lookaside Buffer (TLB), a cache in the CPU. When something causes a virtual machine to exit, the hypervisor leaves traces of its presence in the TLB. So, Lawson said, one way to detect a hypervisor rootkit would be to cause it to somehow exit, and then read the TLB and look for changes.

But, Lawson and Ptacek conceded, there's nothing stopping the malware author from writing a feature to detect the "rootkit detector," which Lawson said leads back to the familiar attacker-defender cat-and-mouse game. "

Bottom line: There is no good way to detect Blue Pill attacks. As one of the article's notes:

"So yes, Blue Pill is almost certainly on the horizon. And it's not something that will be easy to ignore even if you think you never use virtualization, either. Last year, Allan said, he left Rutkowska's Blue Pill demonstration feeling pretty comfortable. "Watchfire works in [cross-site scripting]," he said. "I used to say, 'Turn off JavaScript—don't enable it in the browser.' Last year my response was, 'This is easy, just block the ability to do virtualization.'"

That's changing, though, Allan said, with virtualization headed toward ubiquity. "I think we'll see virtualization required in the future; used all the time. It's [already] used in legitimate software, as a feature to do something or other. It's used more and more in hardware and in different components." "

If you can't turn off virtualization, then caveat emptor.

Guy
www.authenticationworld.com
guy.huntington@authenticationworld.com

Posted by Guy Huntington on August 2, 2007 9:41 AM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/256

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)