Tom Ptacek from Matasano Security is calling out our fav, Joanna Rutkowska. Ptacek is presenting a paper on how to detect the “blue pill” root kit.
Joanna, we respectfully request terms under which you’d agree to an “undetectable rootkit detection challengeâ€. We’ll concede almost anything reasonable; we want the same access to the (possibly-)infected machine than any antivirus software would get.
The backstory:
Dino Dai Zovi, under Matasano colors, presented a hypervisor rootkit (“Vitriolâ€) for Intel’s VT-X extensions at Black Hat last year, at the same time as Joanna presented BluePill for AMD’d SVM.
We concede: Joanna’s rootkit is coolor than ours. I particularly liked using the debug registers to grab network traffic out of the drivers. We stopped weaponizing Vitriol.
From Joanna’s site we find this:
First, we believe that 2 machines are definitely not enough, because the chance of correct guess, using a completely random (read: unreliable) detection method is 50%. Thus we think that the reasonable number is 5 machines. Each of them could be in a state 0 or 1 (i.e. infected or not). On each of this machines we install two files: bluepill.exe and bluepill.sys
The .sys file is digitally signed, so it loads without any problem (we could use one of our methods for loading unsigned code on vista that we’re planning to demonstrate at BH, but this is not part of the challenge, so we will use the official way).
The bluepill.exe takes one argument which is 0 or 1. If it’s 1 it loads the driver and infects the machines. If it’s 0 it also loads the driver, but the driver does not infect the machine.
This year’s Black Hat is shaping up to be rather interesting indeed. That coupled with the paper on TPM that was mysteriously pulled. I’m still wondering what that was all about. Of course I have my natural suspicions.
[tags]Tom Ptacek, Joanna Rutkowska, Blue Pill, Rootkit, Black Hat 2007[/tags]
