Blue Pill virtualisation rootkit freely available
Rootkit specialist Joanna Rutkowska has provided open access to the source code of a new version of the virtualisation rootkit Blue Pill, which has been rewritten from scratch. She presented a prototype of the rootkit at the Black Hat conference in Las Vegas in 2006. The new version of Blue Pill has not just been revised, it also offers new functionality and, according to the description, relies on the virtualisation support offered by modern processors (HVM, hardware virtualised machines).
It is claimed that the new Blue Pill can migrate Windows into a virtual environment whilst it is running; without restarting, and invisibly to the user. This would make it undetectable from within the system using current detection methods. The rootkit supports AMD's SVM/Pacifica virtualisation to infiltrate a hypervisor into Windows whilst it is running, but is not yet able to utilise Intel's VT-x virtualisation. Blue Pill now also includes several functions specifically aimed at hindering recognition by rootkit detectors. It is apparently able to support nested hypervisors and to manipulate Time Stamp Clock Register (TSCR) readings to thwart detection of stolen CPU cycles: a technique known as RDTSC cheating.
In rebuilding Blue Pill from scratch, Rutkowska and co-author Alexander Tereshkin appear to be reacting to criticism from Thomas Ptacek of Matasano Security, Nate Lawson of Root Labs and Peter Ferrie of Symantec, who decline to believe that Blue Pill is undetectable and recently challenged Rutkowska to a competition, which she, however, neatly sidestepped. But the new version does have limitations. For example, Microsoft's Virtual PC 2007 crashes when running under Blue Pill, so first blood goes to Ptacek, Lawson and Ferrie. In addition, the implementation of RDTSC cheating is still somewhat rudimentary.
The version currently available for download can apparently only be compiled under Windows using the Driver Development Kit (NTDDK).
- Blue Pill Project, the Blue Pill homepage
- Rootkit face-off of giants, but it could be off, report by heise Security