In association with heise online

03 July 2007, 12:06

Rootkit face-off of giants, but it could be off

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Stealth malware researcher Joanna Rutkowska has been challenged to a live test of her prototype Blue Pill rootkit, which she asserts will ultimately be completely undetectable. In Blue Pill, announced at last year's Black Hat conference, Rutkowska uses virtualisation to mask the presence and activities of her rootkit, and claims that it is possible to simulate sufficiently well all the tell-tale operational parameters of a PC that would be influenced by running introduced code alongside legitimate processes that an installed software-based rootkit detector can be completely fooled.

This year's challenge, led by Matasano Security founder Thomas Ptacek, was originally defined in his own words to "make it as simple as possible and in Rutkowska's favour". The challengers have publicly declared that they have little belief in Rutkowska's claims. Nevertheless this could have been a very interesting exercise, despite its somewhat artificial constraints: no human intervention or judgement (including no comparisons between machines) and no external hardware devices allowed.

It is clear though that Rutkowska has been nettled by the challengers' position, and egos have started to fly. She has responded with a more stringent specification for the tests, which have been accepted by Ptacek. But in addition she has demanded payment at commercial rates estimated at around US$380,000, in her own words to "turn it into such a commercial grade creature that would win the contest described above", that is, to meet the more stringent criteria she herself has set.

Sadly, unless a compromise can be reached the probable outcome is that the contest is off. However, Rutkowska's announcement that if she succeeds in creating a 100 per cent undetectable rootkit she will release it as open source does give one pause for thought - the inventors of the atom bomb believed they were performing pure research too.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit