Slashdot Mirror
Rutkowska Faces 'Blue Pill' Rootkit Challenge
Controll3r writes "Three high-profile security researchers — Thomas Ptacek of Matasano Security, Nate Lawson of Root Labs and Symantec's Peter Ferrie — have issued a challenge to Joanna Rutkowska to prove that her 'Blue Pill' technology can create "100 percent undetectable" malware. The Black Hat 2007 challenge will feature two untouched laptops of the make/model of Rutkowska's choosing for her to plant Blue Pill on one. From the article: 'She picks one in secret, installs her kit, sets them up however she wants,' Lawson explained in an interview. 'We get to install our software on both and run it, [and] we point out which machine [Blue Pill] is on. If we're wrong, she keeps the laptop.' No word on whether Rutkowska will accept the challenge."
So they have a 50/50 shot of getting it right. How about something more along the lines of 10 laptops? And then they have to say what tipped them off.
...a 50 percent chance? do that with about 30 laptops to rule out that the infected laptop is picked by pure luck. ;)
[nt]
Hm ... 1 in 2 odds. Not bad.
Now if they could repeat this 20 times...
She should say she installed it when in actual fact she didn't...
Then snigger while these guys spend hours scratching their huge domed craniums wondering how she did it.
Don't install root-kit on either one! ;)
No seriously now, if all she was allowed to do was touch one of them.. and both laptops had the same exact everything else, then it should be simple to find ANYTHING that was added to either one. But maybe I'm being naive.
_Vishal www.squad9.com
She installs Blue Pill, and if they detect it, great. If not, she has to show them it's there to prove they missed it, and they get a clue how to find it.
Either way, they can come out ahead here...
Another obvious thing I would request is that different services software be installed (and running) on the laptops. Like maybe put MySql on one running as a service and PostGres on the other. That way they can't do something as ridiculously simple like a memory or CPU profiler to find out which one is using up (all beit small) more CPU resources & memory. That seems to be the strategy of the challenging team: Matasano's Ptacek, who has spent a lot of time studying Rutkowska's work, said the challenge team will compare the behavior of the system to known norms to find the presence of Blue Pill. But how many times do you approach a computer that's infected & have all the behaviors of that machine mapped out? I think the real world answer to that is never. So perhaps the name of the "100% undetectable rootkit" will have to be "100% undetectable in the wild rootkit" since most of us have software on our machines (hell, even World of Warcraft did this) and not even us (the people who installed it) can adequately predict what its going to do. I guess one could always make a rootkit that (given the priviledges) targets a host process deep within a host tree and inserts itself into it. You CPU scheduler would simply be running a thread of a trusted set of processes but unless you had a behavior/benchmark for each process of that tree, you'd be hard pressed to figure out it is host to a virus. That said, I think it's entirely possible to create a nearly 100% undetectable rootkit as long as there are unknown & unprofiled processes running on that machine at the time. Just one more reason to only use open source, I guess!
My work here is dung.
Most malware nowadays is so obvious (after all they're there to do something - mail spam, click spam, DoS etc) and still most people hardly notice them.
;).
Also any such rootkit wouldn't work if the O/S starts off virtualized in the first place so that the rootkit would be "trapped". Then you can scan for the rootkit from "outside".
Of course this assumes no bugs in the virtualization stuff. But as we know there are tons of bugs in CPUs
It would either put paid to the security software vendors who may claim more than they can deliver or it will serve as a caution to overly-ambitious columnists. Can't-miss proposition in terms of its entertainment value.
If she loses, she gets to keep both Toshiba laptops.
grep -i "blue pill"
Duh...
Why not use more laptops so they have a smaller chance of GUESSING the right one? Or do they have to prove why they think its one over the other? In that case why use more than one?
They call me the wookie man, I guess that's what I am
this is clearly not a fair test, no one installs rootkits on virgin installs, also giving a small set of laptops means they have a much larger chance of just guessing which one even if they're wrong from their analysis, and if the rootkit is the only thing that is on it besides an OS how hard would that be to find? look at the file access dates? with no other software installed this should be trivially easy to find.
.. which already comes pre-loaded with malware to wehre they'd have to actually look for blue pill code.. that might be a little more balanced and realistic since virtually all consumer pc's have some form of virus or malware as people have no clue what it is or what it does and they like their animated mouse icon even if it's stealing their CC#'s for african nationals.
now if they wanted to test on an E-machine
If you're talking about two identical laptops, I think the test is unfair. You'd probably be able to determine which laptop was infected simply by measuring boot times - and this sort of test wouldn't be practical in the real world. (I suppose the attacker could make it more like a real-world test by installing different sets of applications on each machine.) A proper test would include several laptops of different manufacture and somewhat different hardware specs.
OK guys I don't think it's going to be as simple as "picking" which laptop they think it is on. I would assume they have to provide some backup/proof as to what they detected and how they know her stuff is on that laptop. This isn't Russian Roulette of computing. The point is also to backup their skills and more importantly their products. This is to get more press and make more $ and I think it's great.
It's time to put your money where your mouth is..
This is just nothing at all proof wise --unless their soft can show how it detected the Blue Pill box.
Now make it three (or more) laptops of her choice and winner takes all... that's a real test of who has the real stuff.
grits?
reech bee-yond ur clip-0n
I saw her talk at BH last year and thought it was very interesting. When it came to detection, however, she waved her hands a bit and claimed that a hypervisor could always alter anything in the PC that had to do with timing so that the OS would always think that the "normal" amount of time had passed for whatever operation it might be trying to time. The idea is that an instruction that the hypervisor intercepts will take longer than the native instruction, and you can detect that. The obvious way to do this is to use the RDTSC (read time stamp counter) instruction, which gives you CPU clock speed precision. The hypervisor can, however, change what the RDTSC instruction returns and therefore makes this timing method useless.
There are many other sources of timing information in a computer. Serial ports, parallel ports, USB ports, ethernet ports, IO space reads and writes, disk operations, the RTC (real-time clock), etc. I haven't thought too hard about using any of these things in particular, but I would be very surprised if a hypervisor could alter the behavior of all of these things in such a way that they couldn't be used as an alternate source of timing information when determining if an instruction you suspect is being intercepted is taking "too long" or not.
1. create dd dumps of both drives and run diffs on the images. Added benefit of also seeing if any lower level filesystem stuff was changed and not just files.
2. find / -type f -exec md5sum {} \; compare md5sums to find which files are different. Though this will cause a problem with storing the md5, maybe use a ram drive or exclude /media or /mnt.
"You guessed wrong."
"You only think we guessed wrong. That's what's so funny! We switched laptops when your back was turned! Ha ha! You fool! You fell victim to one of the classic blunders! The most famous is never get involved in a land war in Asia, but only slightly less well-known is this: never go in against three high-profile security researchers when a laptop is on the line! Ahahahahaha! Ahahahaha! Ahaha-"
"And to think, all that time it was your laptop that had malware."
"They both had malware. I spent the last few years building up an immunity to blue pills."
SIGSEGV caught, terminating
wait... not that kind of sig.
Activate it on both and see if they can tell.
and to make it even more fun, put something extra on them too.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
Helu. I'm Thomas Ptacek, one of the four challenge team members --- Slashdot left out Dino Dai Zovi, who kicked this off by writing a virtualized rootkit at Matasano last year.
Joanna has responded to our challenge. We invited her to stipulate any terms she deemed reasonable. She proferred:
You can probably predict our response.
Here's where it stands: all parties agree that by Black Hat '07, Blue Pill will not be in a state where it is hard to detect. Our detection techniques are likely to detect Blue Pill at Black Hat. Blue Pill requires six months of engineering time to get to a state where Joanna is confident that we can't detect it.
Here's why you care: a few weeks ago, Microsoft decided that Vista Home would not allow virtualization, in part because of the threat of virtualized malware. To the best of our knowledge, there have been two (2) real hypervisor rootkits ever produced: Joanna's Blue Pill, and Matasano's Vitriol. Neither has ever been seen in the wild, because neither has been released to the public. Meanwhile, our team is preparing to demonstrate at Black Hat this year that hypervisor malware is actually even easier to detect than the kernel malware operating systems like Vista are already exposed to.
Joanna's Blue Pill work, along with all the rest of her work (check out this project, where she turns AMD security hardware against forensics devices), is top-notch. In a weird, secretive space like security, this is how science gets done. Joanna chooses a side: it's possible to make undetectable malware. We square off on the opposite side. Then we debate it using code, presentations, papers, and I guess Slashdot stories. Hopefully, in the end, we all learn something.
Hope this stays interesting for everyone. Thanks for paying attention!
I have been repairing computers for friends/coworkers for some time and Rootkits scare me. I run the MS tools, the blacklight, the A2Free, the hive comparators.... and pray that I'm not missing something. It's either that or re-install their OS, and since they come with DELL OEM licenses before Dell shipped CDs, that's a crapshoot.
...
The last machine I worked on actually had 'new' virii on them, which went off to AVira and Norton as a 'new' virus and was included in the next days updates. Insane.
My brother in law wants a new computer because he no longer trusts his disk - it's been infected so many times that he figures it's easier to get a new system (I've reimaged it several times to fix the problems). I keep pointing out that it only takes one infection to get ruin the new computer, but he's adamant
Why can't we just get along...
(and don't tell me to put Ubuntu on peoples laptops...)
Compare this to making a "secure" operating system - every bug doesn't have to be secured - just the ones that are being exploited. Same with anti-virus programs - they don't catch all viruses, only what they know to look for.
So the rootkit doesn't have to be perfect to be invisible to *most* users... it just has to hide from the AV software (or other security). And as the security software gets better... so can the rootkit, ie, in the next "version" add the bugs that the security programs are looking for.
Who needs progress when you have profits?
If I were her, I would put Blue Pill on both machines. This has two advantages for her: First, the examiners' obvious strategy of comparing runtime aspects (CPU %, execution time, IO, etc) between the two machines fails, because now both machines incur the VM overhead penalty, and second, if the examiners pick out one of the machines as infected, she can 'prove' them wrong by showing the infection on the other one (given the contest rules of one clean machine, one infected machine). It's worth noting that that's not a real proof, because if the examiners really can deduce the presence of Blue Pill, then they could just show that both are infected. But this strategy definitely defeats the 'compare execution' plan that the examiners have said they are going to use.
I found this useful:
Debunking Blue Pill myth
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
...then you count Windows Vista as malware to begin with. Free laptop!
I don't know enough about the details of the challenge or if it is meaningful. I do know Nate Lawson is at least partially a fraud.
, 294698,sid14_gci1256055,00.html ). His claims range between having designed DataFort to having written the first implementation.
Nate Lawson claims credit for Decru DataFort (never hesitating to push his claim in every place I see his name mentioned, for example: http://searchsecurity.techtarget.com/columnItem/0
The truth is, Nate Lawson left Decru very shortly after joining (probably less than 4 months), long before DataFort was in any way well defined, let alone implemented. In addition, whatever little work he did initially contribute was thrown out as close to useless.
How do I know? I started at Decru shortly before Nate Lawson left and I still work there. The building janitor has contributed more to DataFort's existence than Nate Lawson has.
It should be really easy to detect which Windows machine has had the blue pill used on it--it's the one that's able to stay up for four hours.
This guy's the limit!
HTH
Deleted
amen... shes so sexy ..
i would love to hear her talk about rootkits while..
Kill your TV
Just weigh the machines. The heavier one would have to have the extra files and stuff.
Assuming that Joanna is correct in her assertion and that she demonstrates it at some point. It will then be out 'in the wild' and you will have a working detection (if your assertions are also correct). How much do you think your company will make by selling 'protection' until the others can catch up? If you will make less than Joanna is asking then your product isn't actually worth very much, however, I think that you believe differently. Being paid for one's time, and expecting a share of your profits because she is prepared to explain how she does it, seems reasonable to me.
the other laptop is a witch!
She is the infamous Rutkowska, after whom the term rutkit, later bastardized to rootkit was named!
The no virtualization restriction has nothing to do with malware (or DRM) and everything to do with making sure that Ubuntu, Apple, and everyone else with an OS can never distribute an install disc that automagically backs up the user's existing OEM Vista Home environment into a VM. Simple, seamless, incremental transitions away from Windows scare Microsoft much more than any malware (especially now that they've discovered they can keep their 90%+ market share when over half their users are infected with malware).
Come on, everyone knows it's just penis envy, because Joanna is WAY "l33ter" then all three of those dweebs put together.
then the same technology could be used for DRM.
The Kruger Dunning explains most post on
A guy walks into a doctor's office. His right eye is bloody and bruised. "Doc," he says, "I've got a problem. Every time I drink cocoa at home, my eye hurts."
The doctor, shocked at the condition of his new patient's eye, runs a gamut of tests, ruling out allergies or other clinical issues. Thinking the issue may be psychosomatic, he sits his patient at a table on which rests a tin of cocoa mix, a thermos of hot water, a cup, and a spoon. He invites the gentleman to mix up the cocoa and take a sip.
The man pours hot water into the cup, and dumps in a couple of heaping spoonfuls of mix, using the spoon to mix vigorously. He then drinks from the cup, and immediately screams. Hastily placing the cup on the table, he clasps his hands to his eye.
"Interesting," the doctor proclaims. "Have you ever considered removing the spoon before drinking?"
(and don't tell me to put Ubuntu on peoples laptops...)
This seems to be a problem of your own making. If you refuse to remove the spoon, you will continue to hurt your eye.
Microsoft is to software what Budweiser is to beer.
Really?
[FUCK BETA]
Geek or not, that comment probably just lost any smidgen of a chance you had of ever getting laid.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
Vincini: But it's so simple. All I have to do is divine from what I know of you: Are you the sort of man who would install the rootkit into his own computer or his enemy's? Now, a clever man would install the rootkit into his own computer because he would know that only a great fool would install what he was given in a popup. I am not a great fool so I can clearly not choose the laptop in front of you. But you must have known I was not a great fool - you would have counted on it - so I can clearly not choose the wine in front of me!
Westley: You've made your decision then?
Vincini: Oh not remotely! Because Blue Pill comes from Australia, as everyone knows, and Australia is entirely peopled with copyright infringers. And copyright infringers are used to having people not trust them as you are not trusted by me so I can clearly not choose the wine in front of you.
Westley: Truly, you have a dizzying intellect.
Vincini: Wait 'till I get going! Where was I?
Westley: Australia.
Vincini: Yes, Australia! And you must have suspected I would've know the rootkit's origin so I can clearly not choose the laptop in front of me.
Westley: You're just stalling now.
Vincini: You'd like to think that wouldn't you?!? You've beaten my giant password which means you're firewall's exceptionally strong, so you could've installed the laptop in your own computer trusting on your processing power to save you, so I can clearly not choose the laptop in front of you. But, you've also bested my Spaniard, which means you must've studied - and in studying you must've learned that man is mortal, so you would've installed the rootkit as far from yourself as possible, so I can clearly not choose the laptop in front of me.
Westley: You're trying to trick into giving away something. It won't work.
Vincini: It has worked! You've given everything away! I know where the rootkit is!
Westley: Then make your choice!
Vincini: I will. And I choose... What in the world can that be?!?
Westley: What? Where? I don't see anything.
Vincini: Oh well I... I could've sworn I saw something... No matter.
Westley: What's so funny?
Vincini: I'll tell ya in a minute. First, let's boot up. Me from my computer and you from yours.
Westley: You guessed wrong.
Vincini: You only think I guessed wrong. That's what's so funny! I switched laptops when your back was turned! Haha! You fool! You fell victim to one of the classic blunders. The most famous is never get involved in a land war in Asia, but only slightly less well known is this: never go in against a Sicilian when identity theft is on the line! HAHAHAHAHAhaha! aHahahahaha! aHahaha!
*bluescreen of death*
It is impossible to enjoy idling thoroughly unless one has plenty of work to do.
- Jerome Klapka Jerome
You keep using that word. I do not think it means what you think it means.
Like CSI, you know, dust the keyboards for prints.
She will lose. In both the antivirus will detect that Windows is installed, so both will have malware, blue pill or not.
She IS wrong to make such a statement no matter what stupid game they pay to prove who is right. You simply cannot make a program that can be 100% undetectable. How would you even know it was running or doing it's job ? Hey I just installed an undetectable program on your computer, prove me wrong. It's a flawed idea right from the start to stand behind such an obvious wrong statement.
As I posted on her blog to achieve a 100% undetectable rate you'd more or less be defying all the known principles of the universe, declare a new absolute that I've create code so great that it cannot be outsmarted. riiiiight
Name one other thing in the universe that is 100% reliable. Even light has limits to it's absolute status and it's supposed to be
THE constant. Then you consider it's just a program made by some flawed human mind over the course of a tiny amount of time and tell me how logically you could believe that it's going to produce this result of absolute undetectable status. It's just not possible.
It might be virtually undetectable, but it's not going to be 100% and the fact the author makes such statements discredits her to some degree like any scientist making wild claims that more or less fly in the face of modern reasoning.
god i wish i had mod points.
it's creepy shit like this that makes me love slashdot.
The test is for in-memory exploits which do not get written to disk. The malware may not persist through a reboot, but many crucial systems have long uptimes.
1) pull hard disk mount ro ...
2) diff against image
3) Profit!
I would be careful to work on such a challenge, if I were her :) . I suppose the best step for her would be to decline politely.
Wait, what?
Per TFL: A mystery? It's more than obvious that Mrs. Rutkowska is a transsexual Obvious?
Not to several of the posters above this one, at a minimum...
it's not clear if it's gonna be new software from Symantec or just the current version of antivirus.
If it's something new, they should give her a change to play with it first.
Someone modded this Troll, but it's clearly supposed to be Funny.
Congratulations on wasting some tool's mod point. There's some guy out there who can't tolerate the word "cunt," even when it is part of a hilarious and clever pun. He's just that much of a tool.
From http://theinvisiblethings.blogspot.com/
The detector can not consume significant amount of CPU time (say > 90%) for more then, say 1 sec. If it does, then it's considered disturbing for the user and thus unpractical.
This is almost as ridiculous as the $380000++. Hell, many places use (crappily configured) virus scanners that use 90% cpu for half an hour. Besides, an 'undetectable' rootkit is disturbing enough that most people wouldnt care about being disrupted for quite a bit longer than a sec.
She should choose two of those 'Million Dollar Laptops' reported on a while back :).
Fill the HD with data. When it runs out of free space, check for unaccounted disk space. If there is any, you detected a rootkit :)
Mixed feelings:
n cy-costs
They (vendors) were confident in their original post but when money is on the table the said nope.
For the record; I do think $200 dollars an hour is a little excessive for two people. Per person, per year would be $208,000 (100x40x52 = 208,000). I know experienced / top rated neurologist in the US: They don't make that kind of money.
Hopefully they can come to a better financial understanding. Vendors should put up the cash; but Joanna Rutkowska should be a little more reasonable on the price.
If the vendors are so sure; then they should have nothing to worry about; right?
FYI: The cost of living in Poland:
http://www.expatfocus.com/expatriate-poland-curre
Check how much RAM appears to be installed and how much is used by the OS.
To win, she needs laptops that are NOT identical.
Five laptops, one with her stuff, and the other four with benign virtualization. :-)
I mean, really, how are you to be sure it isn't just something like VMWare?
Testing for specific products has problems. The list of products is unbounded and unknowable. (VMWare, Virtual PC, Parallels, Qemu+KVM... and even future products) Her malware can pretend to be Qemu+KVM, and how would you know it isn't?
DefCon is way easier to attend. It's cheap and we need only 1 vacation day to attend. Blackhat costs an arm an a leg and, last I checked, was in the middle of the week.
Any leeto would realize that the only place for a truly undetected rootkit is at microcode level. To acomplish that you hope that the designers of the chip where human and left ample room to play with. A code cave is such no matter what level of abstraction you implement the ability to change.
Just install Windows on it, malware than 95% of the population don't detect.
Well now we know that CPU usage is an indicator of the rootkit, a detector shouldn't be too hard. Thanks author of the undetectable rootkit for telling us how to detect it!
Agree 100% with siblings, screw the uptight mods.
Very witty, nice job!
Giving them a 50% chance of guessing right seems lame, and the reward for beating 50% odds is only a single laptop, which is equally lame.
Give her 10 laptops and let ber BP one of them. If they guess wrong, she keeps all 10.
THAT'S fair.
I am also having to assume the software must be installed and run by a 3rd party, so we don't have any engineers "snooping" around the system for anomolies to direct their software to investigate. Not that a true 100% BP would mind that, but lets keep everyone honest.
I work for the Department of Redundancy Department.
I love this! People with last names that spell their destiny in one way or another. Archimedes. Newton. Einstein.
By the way, the Wachowski brothers have "wachac" as a meaningful root ("wachac" loosely means "to doubt" in Polish).
Sorry, but Rutkowska wins this and subsequent rut-kit challenges.
"it's creepy shit like this that makes me love slashdot." - by turbine216 (458014) on Friday June 29, @03:26PM (#19692861)
a ), that make me hate it @ times... especially this shit, a quote from that wiki page:
r ike_girlfriends/6_180.jpg
Nothing against you personally, turbine, because I don't even know you, but I have to offer a contrasting opinion here:
It's creepy shit like that here, OR elsewhere ( http://en.wikipedia.org/wiki/Talk:Joanna_Rutkowsk
"t's more than obvious that Mrs. Rutkowska is a transsexual"
Wtf! Some jealous, do-nothing dork online, that can't even BEGIN to accomplish what this chick has, has to go & write stuff like that... my god, what has the world come to.
Grow up, is all I can say to whoever the unhappy pud was that wrote that shit on Wikipedia (that she's a transsexual, wtf!) about this lady...
The world needs more like her, imo @ least & certainly in THIS art & science: Computing!
In computers, I consider her the "Yuriko Deathstrike" of the internet:
http://xmen.ugo.com/images/galleries/xmen_deathst
(Smart, pretty, & DANGEROUS AS HELL (if she chose that route, thank goodness she has not))
APK
P.S.=> She makes me proud to be polish (& so do their kids outta academia that year in & year out, turn out to be the BEST programmers out of academia there is, bar-none!)... apk
I'd pay 384,000$ to see Joanna nekkid
I'm sorry /. nerds, but that blue pill is a fairy-wanna-be-hacker tale.
It is a fact that no such "blue pill" could hide itself from a timing attack.
Rutkowska is a joke and her random babblings are full of logical fallacies.
I've got several Core 2 Duo running with an hypervisor (currently running Xen HVM with a Linux dom0 and a Windows dom0). Now, please, Rutkowska, show me how this box could have an hypervisor rootkit and still allow me to run Windows in an HVM domain ???
It is impossible, which is a fact. Oh, no, wait, it is possible... IF you then emulate Windows (instead of running it natively in an hardware virtualized domain). But guess what, it would be so dog slow that the "timing attack" would be myself noticing that something super-fishy is going on (note that here it's the lamest of all "timing attack" I'm doing... If I was really concerned I'd realize the timing attack from another system, through the network).
We're back to square one: it is impossible to write an hypervisor rootkit that resits a timing attack.
She's a joke... And that's a fact.