There’s no security conference that’s more fun to cover than Black Hat, and, judging by the roster of speakers, this year’s Las Vegas edition looks to be no exception. The session that’s drawing the most pre-conference attention is one titled “Don’t Tell Joanna, the Virtual Rootkit is Dead,” which features Nate Lawson, Thomas Ptacek of Matasano Security and Peter Ferrie of Symantec. All three of these researchers have done extensive work on rootkits and rootkit detection and they have set up their talk as a kind of challenge to Joanna Rutkowska, the author of the much-discussed Blue Pill virtual rootkit. Lawson et al. believe that Rutkowska’s claim that Blue Pill is completely undetectable is indefensible, so they’ve proposed setting up two completely fresh Vista machines and allowing Rutkowska to load Blue Pill on one of them. The team will then run its own detection tool on both machines and see whether it finds the rootkit.
Rutkowska says she is up for the Blue Pill challenge, but she wants to impose some additional conditions.
First, we believe that 2 machines are definitely not enough, because the chance of correct guess, using a completely random (read: unreliable) detection method is 50%. Thus we think that the reasonable number is 5 machines. Each of them could be in a state 0 or 1 (i.e. infected or not). On each of this machines we install two files: bluepill.exe and bluepill.sys
The .sys file is digitally signed, so it loads without any problem (we could use one of our methods for loading unsigned code on vista that we’re planning to demonstrate at BH, but this is not part of the challenge, so we will use the official way).
The bluepill.exe takes one argument which is 0 or 1. If it’s 1 it loads the driver and infects the machines. If it’s 0 it also loads the driver, but the driver does not infect the machine.
So, on each of the 5 machines we run bluepill.exe with randomly chosen argument, being 0 or 1. We make sure that at least one machine is not infected and that at least one machine is infected.
After that the detection team runs their detector.exe executable on each machine. This program can not take any arguments and must return only one value: 0 or 1. It must act autonomously — no human assistance when interpreting the results.
Lawson, a whiz at reverse-engineering hardware and software, was the lead designer of the Blu-Ray disc protection scheme and knows a thing or two about kernel design as well. In an interview a few weeks ago he told me he doesn’t believe any rootkit is 100% undetectable and that virtual rootkits like Blue Pill are easier to detect than kernel-mode rootkits because of the requirement that they emulate the entire OS, not just a portion of it. “There are too many things that can go wrong with that model for it to stay completely hidden, ” he said. Or, as he told ZDNet’s Ryan Naraine, “I think the best rootkit is the simplest.”
Whatever the result, the talk should be fascinating. If rootkits aren’t your thing, Rutkowska also will be giving another talk at Black Hat on several methods for compromising the kernel of 64-bit Vista machines.