Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rutkowska Faces 'Blue Pill' Rootkit Challenge

Posted by Zonk on from the exciting-conference dept.

Controll3r writes "Three high-profile security researchers — Thomas Ptacek of Matasano Security, Nate Lawson of Root Labs and Symantec's Peter Ferrie — have issued a challenge to Joanna Rutkowska to prove that her 'Blue Pill' technology can create "100 percent undetectable" malware. The Black Hat 2007 challenge will feature two untouched laptops of the make/model of Rutkowska's choosing for her to plant Blue Pill on one. From the article: 'She picks one in secret, installs her kit, sets them up however she wants,' Lawson explained in an interview. 'We get to install our software on both and run it, [and] we point out which machine [Blue Pill] is on. If we're wrong, she keeps the laptop.' No word on whether Rutkowska will accept the challenge."

5 of 223 comments (clear)

  1. How to win the challenge by pickyouupatnine · · Score: 3, Insightful

    Don't install root-kit on either one! ;) No seriously now, if all she was allowed to do was touch one of them.. and both laptops had the same exact everything else, then it should be simple to find ANYTHING that was added to either one. But maybe I'm being naive.

    --
    _Vishal www.squad9.com
  2. not a fair test by waspleg · · Score: 4, Insightful

    this is clearly not a fair test, no one installs rootkits on virgin installs, also giving a small set of laptops means they have a much larger chance of just guessing which one even if they're wrong from their analysis, and if the rootkit is the only thing that is on it besides an OS how hard would that be to find? look at the file access dates? with no other software installed this should be trivially easy to find.

    now if they wanted to test on an E-machine .. which already comes pre-loaded with malware to wehre they'd have to actually look for blue pill code.. that might be a little more balanced and realistic since virtually all consumer pc's have some form of virus or malware as people have no clue what it is or what it does and they like their animated mouse icon even if it's stealing their CC#'s for african nationals.

  3. Re:More Laptops by Billosaur · · Score: 4, Insightful

    I think this calls for a double-blind experiment with a larger sample size, say 20 laptops. 10 laptops are held out and left untouched; the other ten will either be infected with Blue Pill or not based on a random coin flip. Then it would not just be a question of detecting it, but detecting it to a sufficient degree to put it beyond chance. A 50-50 shot is just too high to be regarded as accurate.

    --
    GetOuttaMySpace - The Anti-Social Network
  4. Re:More Laptops by aethogamous · · Score: 3, Insightful

    The reason is fairly obvious once you think about it hard enough.

    I think everything is fairly obvious once you think about it hard enough ...

  5. Re:The fact is by itzac · · Score: 3, Insightful
    It is possible to circumvent any single method of detection. And it's even possible to circumvent circumvention detection. In the real world this would become an arms race: security experts would find a way to detect the root-kit, and the next one would be able to evade that method of detection. Eventually, however, the hypervisor would spend enough cycles evading detection that the user would get tired of his bogged down machine and would just reinstall the OS.

    I don't disagree with her theory, but in practice it is difficult enough to achieve that it will probably never happen.