Stealth malware researcher Joanna Rutkowska recently demonstrated a way to infect Windows Vista with a rootkit and introduced Blue Pill, a new concept that uses AMD’s SVM/Pacifica virtualization technology to create “100 percent undetectable malware.” Hardware virtualization, in her opinion, “has been introduced a little bit too early; before the major operating system venders were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.” Blue Pill operates by creating a hardware virtual machine and moves the native operating system to this virtual machine, becoming a “hypervisor” itself. The native system doesn’t even realize it’s been moved to a virtual machine. Rutkowska explains that operating systems need to be aware of such virtualization and have their own hypervisor. In her opinion, “we need at least two to three years to implement a foolproof protection against hardware virtualization-based malware.” Her ideal solution would be “integrity checking of all system components,” but she realizes the difficulties involved. Blue Pill is an example of this undetectable, Type III, malware, which “does not introduce a single byte modification into kernel, or other processes’ memory.” The only chance for detection would be finding side effects. Rutkowska believes it is better to have “a good integrity-based scanner, even if it’s not capable of detecting Type III malware, rather than having a classic anti-virus product which only tries to find the known ‘bad things.'” Stealth malware can silently subvert an operating system without being noticed, so to Rutkowska, the most pressing concern is not the complete prevention of malware infections, but the ability to detect them.
Click here to view full article.
Source: ACM TechNews.