Black Hat Conference: much of Microsoft and a blue pill
The Black Hat Conference, which begins on the morning of August 2, has a special focus this year: an entire track will be devoted to the security of Microsoft's next operating system, Windows Vista, and Internet Explorer 7. Microsoft will be handling all of the presentations in the track; it is also one of the sponsors of the conference. Similarly to previous years, Microsoft wishes to use the Black Hat Conference to convince the elite security specialists attending that Vista is the most secure operating system it has ever produced and that security is also the focus of the further development of Internet Explorer 7.
Rootkit researcher Joanna Rutkowska's speech will therefore be all the more interesting: she will be showing how Vista's kernel protection can be outsmarted. Among other things, Microsoft only allows digitally signed kernel mode drivers to be loaded in the 64-bit version. Rutkowska plans to demonstrate how arbitrary codes can be injected into the kernel without rebooting, despite this protection. In addition, Rutkowska will also be presenting the first working prototype of "Blue Pill". According to Rutkowska, Blue Pill allows the creation of "100% undetectable" malware: during an infection, it simply moves the operating system into a virtual environment while it is running – the computer need not be rebooted, and the user should not notice anything.
The infection remains undetected because antivirus programs cannot look outside of the virtual machine. Microsoft has also developed a similar rootkit it calls SubVirt, which basically installs itself under the operating system it finds and executes the OS in a virtual machine when it is rebooted. Microsoft believes that Virtual Machine Based Rootkits (VMBRs) pose a serious threat for the future. Antivirus programs would then have to be integrated in the hardware or the BIOS in order to provide protection.