|
Joined: Aug 2004
Posts: 2,542
Hard-core CEG\'er
|
OP
Hard-core CEG\'er
Joined: Aug 2004
Posts: 2,542 |
has anyone heard of this yet
http://theinvisiblethings.blogspot.com/
Quote:
Introducing Blue Pill
All the current rootkits and backdoors, which I am aware of, are based on a concept. For example: FU was based on an idea of unlinking EPROCESS blocks from the kernel list of active processes, Shadow Walker was based on a concept of hooking the page fault handler and marking some pages as invalid, deepdoor on changing some fields in NDIS data structure, etc... Once you know the concept you can (at least theoretically) detect the given rootkit.
Now, imagine a malware (e.g. a network backdoor, keylogger, etc...) whose capabilities to remain undetectable do not rely on obscurity of the concept. Malware, which could not be detected even though its algorithm (concept) is publicly known. Let's go further and imagine that even its code could be made public, but still there would be no way for detecting that this creature is running on our machines...
Over the past few months I have been working on a technology code-named Blue Pill, which is just about that - creating 100% undetectable malware, which is not based on an obscure concept.
The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices, like graphics card, are fully accessible to the operating system, which is now executing inside virtual machine. This is all possible thanks to the latest virtualization technology from AMD called SVM/Pacifica.
How does the Blue Pill-based malware relates to SubVirt rootkit, presented a few months ago by Microsoft Research and University of Michigan? Well, there are couple of important differences:
1. SubVirt is a permanent (i.e. restart surviving) rootkit. And it has to be, because the SubVirt's installation process requires that it takes control before the original operating system boots. Consequently, in contrast to Blue Pill, SubVirt can not be installed 'on-the-fly'. It also means that SubVirt must introduce some modifications to hard disk, which allows for the 'off line' detection.
2. SubVirt was implemented on x86 hardware, which doesn't allow to achieve 100% virtualization, because there are number of sensitive instructions, which are not privileged, like the famous SIDT/SGDT/SLDT. This allows for trivial detection of the virtual mode - see e.g. my little Red Pill program. This however, doesn't apply to Blue Pill, as it relies on AMD SVM technology.
3. SubVirt is based on one of the commercial VMM: Virtual PC and/or VMWare. Both of these applications create virtual devices to be used by the operating system, which are different from the real underlying hardware (e.g. network cards, graphic cards, etc.), which allows for easy detection of the virtual machine.
I would like to make it clear, that the Blue Pill technology does not rely on any bug of the underlying operating system. I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform.
I will be talking about Blue Pill and demonstrating a working prototype for Vista x64 at the end of July at SyScan Conference in Singapore.
Also, I will present a generic method (i.e. not relaying on any implementation bug) of how to insert arbitrary code into the Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. Of course, the presented attack does not require system reboot.
the worst this is that its undetectible the fbi comes busting sown your front door for something you don't even know about
Last edited by GS474; 08/05/06 03:53 AM.
|
|
|
|
Joined: Mar 2001
Posts: 7,431
Hard-core CEG'er
|
Hard-core CEG'er
Joined: Mar 2001
Posts: 7,431 |
I swear someday in the future I'm going to give up and just buy a G3 PowerBook and install System 6 on it.
|
|
|
|
Joined: Dec 2001
Posts: 777
Veteran CEG\'er
|
Veteran CEG\'er
Joined: Dec 2001
Posts: 777 |
Originally posted by GS474: has anyone heard of this yet
http://theinvisiblethings.blogspot.com/
the worst this is that its undetectible the fbi comes busting sown your front door for something you don't even know about
Ingress and egress filtering: You might not be able to detect it running on your system, but you sure as hell can detect it trying to talk out your firewall.
Also, I find it hard to believe that there would be zero trace of it running. Even on a virtual machine level, there's still SOME calls made through the kernel to the hardware. Dtrace/kprobes/etc would tip you off to SOMETHING if you know where to look. (Note: my opinion is based on the knowledge of Solaris and Linux. There's no telling how many places there are to hide inside Vista...)
--JamesT
>--------------<
--Chemguru
99 CSVT
Frost /Mid. Blue
00 Suzuki SV650
Red, Naked
|
|
|
|
Joined: Aug 2004
Posts: 2,542
Hard-core CEG\'er
|
OP
Hard-core CEG\'er
Joined: Aug 2004
Posts: 2,542 |
i know it theory its not sposed to slow down the system
but it would have to a little
|
|
|
|
Joined: Jun 2000
Posts: 5,854
Hard-core CEG'er
|
Hard-core CEG'er
Joined: Jun 2000
Posts: 5,854 |
nothing is undetectable...just gotta look hard enough.
1999 Silver Frost SVT
#609 of 2760
Quaife, lightened SVT Flywheel, SPEC stage II clutch, removed resonator, k&n drop in - various other goodies too.
|
|
|
|
Joined: May 2002
Posts: 21,653
I have no life
|
I have no life
Joined: May 2002
Posts: 21,653 |
Does it reduce my heartburn symptoms?
98.5 SVT
91 Escort GT (almost sold)
96 ATX Zetec (i brake to watch you swerve)
FS: SVT rear sway bar
WTB: Very cheap beater
CEG Dragon Run - October 13-15
|
|
|
|
Joined: Aug 2004
Posts: 2,542
Hard-core CEG\'er
|
OP
Hard-core CEG\'er
Joined: Aug 2004
Posts: 2,542 |
yes but it may cause
projectile vomiting, cough, flue like symptoms, uncontrollable bowl movement, dizzyness,ect
|
|
|
|
|