Rutkowska Faces 'Blue Pill' Rootkit Challenge

Controll3r writes "Three high-profile security researchers — Thomas Ptacek of Matasano Security, Nate Lawson of Root Labs and Symantec's Peter Ferrie — have issued a challenge to Joanna Rutkowska to prove that her 'Blue Pill' technology can create "100 percent undetectable" malware. The Black Hat 2007 challenge will feature two untouched laptops of the make/model of Rutkowska's choosing for her to plant Blue Pill on one. From the article: 'She picks one in secret, installs her kit, sets them up however she wants,' Lawson explained in an interview. 'We get to install our software on both and run it, [and] we point out which machine [Blue Pill] is on. If we're wrong, she keeps the laptop.' No word on whether Rutkowska will accept the challenge."

Obvious Request I Can Think Of

[eldavojohn]

"If she has any particular requests, we'll almost certainly grant them," he added. To be successful, I can think of a couple requests. One would just be to have more than one other non-infected computer. I could do nothing to the computers and randomly pick one, thus being right. I suppose that's obvious though. Maybe have several trial runs.

Another obvious thing I would request is that different services software be installed (and running) on the laptops. Like maybe put MySql on one running as a service and PostGres on the other. That way they can't do something as ridiculously simple like a memory or CPU profiler to find out which one is using up (all beit small) more CPU resources & memory. That seems to be the strategy of the challenging team:

Matasano's Ptacek, who has spent a lot of time studying Rutkowska's work, said the challenge team will compare the behavior of the system to known norms to find the presence of Blue Pill. But how many times do you approach a computer that's infected & have all the behaviors of that machine mapped out? I think the real world answer to that is never. So perhaps the name of the "100% undetectable rootkit" will have to be "100% undetectable in the wild rootkit" since most of us have software on our machines (hell, even World of Warcraft did this) and not even us (the people who installed it) can adequately predict what its going to do. I guess one could always make a rootkit that (given the priviledges) targets a host process deep within a host tree and inserts itself into it. You CPU scheduler would simply be running a thread of a trusted set of processes but unless you had a behavior/benchmark for each process of that tree, you'd be hard pressed to figure out it is host to a virus. That said, I think it's entirely possible to create a nearly 100% undetectable rootkit as long as there are unknown & unprofiled processes running on that machine at the time. Just one more reason to only use open source, I guess!