Rutkowska Faces 'Blue Pill' Rootkit Challenge

Controll3r writes "Three high-profile security researchers — Thomas Ptacek of Matasano Security, Nate Lawson of Root Labs and Symantec's Peter Ferrie — have issued a challenge to Joanna Rutkowska to prove that her 'Blue Pill' technology can create "100 percent undetectable" malware. The Black Hat 2007 challenge will feature two untouched laptops of the make/model of Rutkowska's choosing for her to plant Blue Pill on one. From the article: 'She picks one in secret, installs her kit, sets them up however she wants,' Lawson explained in an interview. 'We get to install our software on both and run it, [and] we point out which machine [Blue Pill] is on. If we're wrong, she keeps the laptop.' No word on whether Rutkowska will accept the challenge."

More Laptops

[stinerman]

So they have a 50/50 shot of getting it right. How about something more along the lines of 10 laptops? And then they have to say what tipped them off.

Re:More Laptops

[Smidge204]

The counter-requirements sound suspiciously lopsided to reduce the chance of detection.

In summary:

-Multiple machines. Fine.

-"bluepill.exe and bluepill.sys" wil be installed on ALL machines. Okay, I guess they don't want them to just check the drive's free space to see if extra files were added?

-ALL machines will have the driver loaded, but not necessarily be "infected". Is that a reasonable condition for a rootkit "in the wild"? If the rootkit is doing it's job you shouldn't be able to detect the driver being loaded in the first place.

-Detector.exe must be completely autonomous and return only a single flag value to indicate infection. This sounds like a completely unreasonable requirement, since even rudamentary human review of the results is a realistic real-world scenario.

-The detector can not cause system crash or halt the machine. I fail to see why this would be a requirement, unless you argue that whatever system that might be tested is mission critical and can't afford ANY unplanned downtime... unexpected crashes are bad, but shouldn't be an instant-lose condition.

-The detector can not consume significant amount of CPU time. Why not? If the user is scanning for a rootkit, they probably understand it's a fairly serious issue and should be willing to devote resources to it. Inconvenient? Sure, but again not a condition of failure.

-Compensation for working on the project. I can understand this, but really... even if Blue Pill fails to stay hidden, they "win" 6 months of full employment with no repercussions for failure to deliver a working project other than bad reputation.

Basically, it sounds to me that they aren't really claiming Blue Pill is "undetectable" - only that it is undetectable by one-click idiot-proof software that is run under conditions unlikely to be seen in the wild. I see no reason why the detection team would be prevented from using a boot CD to examine the contents of the hard drive, for example, perhaps even loading their OWN virtual machine to virtualize the malware-infected system and monitor for suspicious activity. I see it as completely fair game.
=Smidge=

Re:More Laptops

[rtb61]

That test model is still not correct. What has to happen is that every laptop has to have the contents of it's hard disk drive changed after the test has commenced. It should reflect the real world, there are not identical laptops in real world usage. I mean anybody can do the check they are talking about, simply pull out the hard drives and do a bit by bit comparison, big deal. A real world test reflects that the laptops are running different software and different configurations and have different data stored. Ideally it should be done on PCs where you also have different hardware and drivers.

c'mon...

[cosmocain]

...a 50 percent chance? do that with about 30 laptops to rule out that the infected laptop is picked by pure luck. ;)

Obvious Request I Can Think Of

[eldavojohn]

"If she has any particular requests, we'll almost certainly grant them," he added. To be successful, I can think of a couple requests. One would just be to have more than one other non-infected computer. I could do nothing to the computers and randomly pick one, thus being right. I suppose that's obvious though. Maybe have several trial runs.

Another obvious thing I would request is that different services software be installed (and running) on the laptops. Like maybe put MySql on one running as a service and PostGres on the other. That way they can't do something as ridiculously simple like a memory or CPU profiler to find out which one is using up (all beit small) more CPU resources & memory. That seems to be the strategy of the challenging team:

Matasano's Ptacek, who has spent a lot of time studying Rutkowska's work, said the challenge team will compare the behavior of the system to known norms to find the presence of Blue Pill. But how many times do you approach a computer that's infected & have all the behaviors of that machine mapped out? I think the real world answer to that is never. So perhaps the name of the "100% undetectable rootkit" will have to be "100% undetectable in the wild rootkit" since most of us have software on our machines (hell, even World of Warcraft did this) and not even us (the people who installed it) can adequately predict what its going to do. I guess one could always make a rootkit that (given the priviledges) targets a host process deep within a host tree and inserts itself into it. You CPU scheduler would simply be running a thread of a trusted set of processes but unless you had a behavior/benchmark for each process of that tree, you'd be hard pressed to figure out it is host to a virus. That said, I think it's entirely possible to create a nearly 100% undetectable rootkit as long as there are unknown & unprofiled processes running on that machine at the time. Just one more reason to only use open source, I guess!

Re:Obvious Request I Can Think Of

[SanityInAnarchy]

Another obvious thing I would request is that different services software be installed (and running) on the laptops. Like maybe put MySql on one running as a service and PostGres on the other.

Better yet: Let each laptop (out of maybe 20 or so, instead of just two) be used by someone for maybe a few days or a week leading up to the test. Rutkowska is the only one allowed to (deliberately) install a rootkit, or any kind of malware, but everyone else is allowed to do pretty much whatever they want. Then, let them sort out which ones have rootkits, and specifically, which one was Blue Pill.

But how many times do you approach a computer that's infected & have all the behaviors of that machine mapped out? I think the real world answer to that is never.

At least, not completely. I suspect they might still be able to figure it out, but the test could at least be made fair.

Then again, I suspect that this test was created more because many people, myself included, find that "100%" anything in security leaves a bad taste in our mouths. I admit that there's pretty much no chance anyone would be able to detect her rootkit. However, a completely unfair test (in which you can simply do a full-drive checksum from a boot CD) is all that's needed to prove it's not "100%".

Just one more reason to only use open source, I guess!

While I agree, sort of, this doesn't really make sense for the reasons you said. Unless you have a behavior/benchmark for each process on ANY system, you can't know that there isn't some infected process somewhere -- this has nothing to do with it being proprietary. I tend to suspect that open source would make it less likely for malware to get on the system in the first place, and less likely for it to get elevated to a level where a really good rootkit is possible (although I admit, most of us would probably be fooled by any rootkit), but that is only because I tend to suspect that open source is generally more secure overall.

And sendmail proves that it isn't, always.

The availability of source code, if anything, probably increases the vulnerability of the system to a really, really hard-to-detect rootkit. After all, the rootkit could recompile your kernel.

I do think you should use open source, and I do think malware is a reason, but I don't think rootkits are any less likely to happen than any other kind of malware on an open source system. Don't forget, "rootkit" is a term from the UNIX world.

Re:How to win the challenge

[Overzeetop]

That was my thought, too.

I think they should have her set it up, then give the two laptops to a pair of teenage girls for 3 weeks with $300 to spend on any software they choose and an unencumbered internet connection. Then have them search the two. Think of it as two decks of cards, but shuffling them before you try to find the differences.

Virii and RootKits

[purduephotog]

I have been repairing computers for friends/coworkers for some time and Rootkits scare me. I run the MS tools, the blacklight, the A2Free, the hive comparators.... and pray that I'm not missing something. It's either that or re-install their OS, and since they come with DELL OEM licenses before Dell shipped CDs, that's a crapshoot.

The last machine I worked on actually had 'new' virii on them, which went off to AVira and Norton as a 'new' virus and was included in the next days updates. Insane.

My brother in law wants a new computer because he no longer trusts his disk - it's been infected so many times that he figures it's easier to get a new system (I've reimaged it several times to fix the problems). I keep pointing out that it only takes one infection to get ruin the new computer, but he's adamant ...

Why can't we just get along...

(and don't tell me to put Ubuntu on peoples laptops...)

A better strategy for Rutkowska

[igotmybfg]

If I were her, I would put Blue Pill on both machines. This has two advantages for her: First, the examiners' obvious strategy of comparing runtime aspects (CPU %, execution time, IO, etc) between the two machines fails, because now both machines incur the VM overhead penalty, and second, if the examiners pick out one of the machines as infected, she can 'prove' them wrong by showing the infection on the other one (given the contest rules of one clean machine, one infected machine). It's worth noting that that's not a real proof, because if the examiners really can deduce the presence of Blue Pill, then they could just show that both are infected. But this strategy definitely defeats the 'compare execution' plan that the examiners have said they are going to use.

Re:not a fair test

[tqbf]

If Joanna wants to stipulate that we pick Blue Pill out of a morass of pre-installed kernel and userland rootkits, we would of course agree to that term. Neither Joanna's team nor ours seems to think that's a meaningful addition to the test. Like the Vitriol rootkit Dino Dai Zovi wrote for Matasano last year, Joanna's rootkit lives in a special slice of memory inside of a special execution context carved out by the hardware. It is unlike any other X86 rootkit in how it intercepts control of the platform and how it stays resident.

Installing a bunch of crappy malware alongside something as slick as Blue Pill is very much the same as trying to hide a Ferarri in a junkyard lot filled with rusted out Chevy Novas. But, by all means, if Joanna wants to add meaningless obstacles --- let nobody say we allowed those obstacles to impede science!

Re:Debunking Blue Pill myth

[WK2]

I would mod you up, but I have no points.

The Blue Pill is indeed a myth. It is detectable. All you have to do, is check if you are running under a virtual machine. Contrary to the claims of Joanna Rutkowska, this is easy, not impossible. If you didn't think you were running under a VM, but you are, something is wrong.

It is also removable. Simply reboot the machine. I didn't say re-install, but reboot. If blue pill were to install files to the hard drive, the files would be detectable in an offline scan. Because Joanna claims that even an offline scan would not detect blue pill, it doesn't write to the hard drive. Because it doesn't write to the hard drive, it is not persistent.

On the other hand, Joanna's claims are often moderately dishonest, at best. There is no such thing as completely undectable. If you sneezed 10 years ago, there is evidence of it somewhere.

She hasn't released the code. She might have legitimate reasons, but this is normally considered inexcusable for security research. All we have to go on is "what she says."

Re:The State Of The Challenge So Far

[tqbf]

You should become a secure programmer, which is the rate she's working from. There aren't enough secure programmers to go around.

they should give her the software first

[anton_kg]

it's not clear if it's gonna be new software from Symantec or just the current version of antivirus.
If it's something new, they should give her a change to play with it first.