Blue Pill can go totally undetected

No I'm not talking about Viagra, I'm talking about a serious threat to computer security. And this time it's not Microsoft's fault. Linux, and MAC may also suffer from the same problems

Fellow blogger Joanna Rutkowska(Invisible Things) , a researcher at Singapore based COSEINC have managed to create a working prototype for malware that can go completely undetected on your computer. Not only that, it would be almost impossible to remove since the insertion of the Blue pill would happen in real-time and not require a restart. And will continue to run in complete stealth and away from all removal and detection tools

While the idea is very similar to the Virtual Machine (VM), it's actually different by having a very thin layer between the OS and the processor. While in the classical VM model it would execute before the OS preventing any detection and removal tool from getting to it. But the VM Model has couple of caveats where it could be removed in offline mode.

The interesting part is that there's also a Red Pill which is a way to detect weather code is running under Virtual machine or real environment.

Update: The main problem is that basically your operating system thinks he's running on the computer, but it's running in a virtual world like in the matrix movies. Which is scary because if the OS and removal tools are unaware they're being run under something else. They will be confused. While the malware might be doing keylogging, password collection, running as services. Blocking you from getting needed security patches and what's worse? They can all be controlled remotely

I discussed it a little bit on Joannas. This is very interesting topic for security freaks. check out these resources:

Microsoft SubVirt

Invisible things

COSNEIC Research

And my comment:

Qwaider قويدر said...

I personally think that this is just another attack victor previously un thought of. So it's quite ground breaking. But it come as a result of poor designs at multiple levels. From software to hardware. In the old days of computers. people learned to load before the OS by targeting boot loaders, partition tables ...etc later all of those were detected. some did weird things the bios and almost anywhere they can store and execute code

I think the concept of a Redpill that would actually be a low level app that would interact directly with SVM could eventually be part of any malware removal kit. It would be even easier for someone to write a "Pill-Proof" pill that would detect attempts to execute a bluepill and stop it.
One thing is certain, things will continue to escalate.

June 29, 2006 1:00 AM