As computer users, we want to know when there’s a threat out there that makes our systems vulnerable to attack. Like Neo in The Matrix, most of us have no desire to take the little blue pill that will make us think all is well when it’s really not. On the other hand, we don’t like alarmists who scream from the rooftops that the sky is falling and make the latest computer security threat sound like doomsday incarnated. Sometimes it’s hard to know where the middle ground is.
We’ve gotten email from several readers over the last couple of weeks, concerned about a new type of malware that was created by a Singapore security researcher named Joanna Rutkowska and appropriately named Blue Pill. IT publications and blogs have sounded the alarm bells, touting the “undetectable” nature of the code and, in some cases, implying that the scope of the threat is greater than it is. Here’s a more balanced report.
At last week’s BlackHat computer security conference in Las Vegas, Ms. Rutkowska herself gave a presentation on how this technology works on 64-bit Vista. BlackHat was logical venue for this type of presentation. The annual conference has been going on since 1997 and brings together IT computer specialists, law enforcement and legal experts, and hackers. I’ve been a BlackHat speaker in the past and my husband Tom developed the course materials for the ISA Ninjitsu training session at this year’s conference and was on hand to field questions.
The presentation demonstrating Blue Pill took place on the second day of the conference. Despite being scheduled at the end of the day, it drew standing room only (or more accurately, “no more standing room”) crowds – not a surprise after all the publicity. Here’s what we’ve learned about the threat:
Blue Pill is a type of rootkit – that is, malware that conceals itself from security software. Although some articles and blogs have given the impression that it’s based on a vulnerability in the Vista operating system, it’s actually based on AMD’s SVM Pacifica virtualization technology (and Rutkowska herself has been very clear that the exploit is not based on any flaw in Vista). The Pacifica technology provides “chip level” virtual partitioning to allow for running multiple operating systems simultaneously on the same computer (virtual machines or VMs). Pacifica is an extension to the 64 bit x86 architecture and is included on the Athlon 64 and Turion 64 processors. Although Rutkowska’s Blue Pill prototype was developed to run on Vista, it can be adapted for Linux or any other 64 bit operating system that runs on this hardware.
The reason this rootkit is so difficult to detect is because the operating system is running inside the hypervisor, or VM, whereas the rootkit is running underneath the VM. Since the rootkit files are outside of the virtual OS, there’s no way for the operating systm to detect that they’re there. Microsoft Research had previously developed a proof of concept VM rootkit called SubVirt. You can read more about the VM rootkit concept here.
Here’s the good news: Blue Pill was developed by a security researcher, not a hacker. Rutkowska and others are working on methods for detecting VM-based rootkits. Meanwhile, it’s not out there in the wild. Also, since it’s based on the Pacifica technology, unless you’re running an AMD 64 bit processor, your system is not vulnerable to Blue Pill. (However, Intel also has a hardware virtualization technology called VT, previously code named Vanderpool. It’s possible that such an exploit could be developed for it, too). Finally, Microsoft has vowed to find a way to prevent Blue Pill from being used on Vista before the final version of the OS ships.
Bottom line: it’s great that researchers like Joanna Rutkowska are warning us (and the hardware and software vendors who can do something about it) that threats like this exist. What’s not so great is the way some folks in their blogs and on the message boards are spreading the FUD (fear, uncertainty and doubt) that this is a sign that Vista is not secure. Ms. Rutkowska has diligently tried to counter this misinformation; here is one of her own posts on seclists.org.
What do you think? Should the tech media splash news of new exploit types all over the headlines, or does this just give hackers ideas? Should we wait to report on them until a solution has been found? Do you prefer to know about possible threats, even if they aren’t “in the wild” yet?
Or would you prefer to take a Matrix-type blue pill and live in your own little world, protected from such nasty knowledge? Do tech writers tend to oversensationalize these stories, or do we downplay them too much?
Deb Shinder