Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rutkowska Faces 'Blue Pill' Rootkit Challenge

Posted by Zonk on from the exciting-conference dept.

Controll3r writes "Three high-profile security researchers — Thomas Ptacek of Matasano Security, Nate Lawson of Root Labs and Symantec's Peter Ferrie — have issued a challenge to Joanna Rutkowska to prove that her 'Blue Pill' technology can create "100 percent undetectable" malware. The Black Hat 2007 challenge will feature two untouched laptops of the make/model of Rutkowska's choosing for her to plant Blue Pill on one. From the article: 'She picks one in secret, installs her kit, sets them up however she wants,' Lawson explained in an interview. 'We get to install our software on both and run it, [and] we point out which machine [Blue Pill] is on. If we're wrong, she keeps the laptop.' No word on whether Rutkowska will accept the challenge."

1 of 223 comments (clear)

  1. The State Of The Challenge So Far by tqbf · · Score: 5, Informative

    Helu. I'm Thomas Ptacek, one of the four challenge team members --- Slashdot left out Dino Dai Zovi, who kicked this off by writing a virtualized rootkit at Matasano last year.

    Joanna has responded to our challenge. We invited her to stipulate any terms she deemed reasonable. She proferred:

    • Five (5) laptops instead of two (2), as a defense against lucky guessing.
    • We can't crash the machines in the process of testing.
    • We can't spike the CPU on the machine for more than one (1) second.
    • We have to open source our detector, and she'll open source her rootkit.
    • We have to arrange to have her paid between $384,000 and $416,000, and wait six months.

    You can probably predict our response.

    Here's where it stands: all parties agree that by Black Hat '07, Blue Pill will not be in a state where it is hard to detect. Our detection techniques are likely to detect Blue Pill at Black Hat. Blue Pill requires six months of engineering time to get to a state where Joanna is confident that we can't detect it.

    Here's why you care: a few weeks ago, Microsoft decided that Vista Home would not allow virtualization, in part because of the threat of virtualized malware. To the best of our knowledge, there have been two (2) real hypervisor rootkits ever produced: Joanna's Blue Pill, and Matasano's Vitriol. Neither has ever been seen in the wild, because neither has been released to the public. Meanwhile, our team is preparing to demonstrate at Black Hat this year that hypervisor malware is actually even easier to detect than the kernel malware operating systems like Vista are already exposed to.

    Joanna's Blue Pill work, along with all the rest of her work (check out this project, where she turns AMD security hardware against forensics devices), is top-notch. In a weird, secretive space like security, this is how science gets done. Joanna chooses a side: it's possible to make undetectable malware. We square off on the opposite side. Then we debate it using code, presentations, papers, and I guess Slashdot stories. Hopefully, in the end, we all learn something.

    Hope this stays interesting for everyone. Thanks for paying attention!