'Blue Pill' Prototype Creates 100% Undetectable Malware

A security researcher with expertise in rootkits has created a working prototype of new technology that is capable of creating malware that remains "100 percent undetectable," even on Windows Vista x64 systems. This VM Rootkit can take over an AMD based Pacifica/SVM "hypervisor" on the fly, without a reboot and then uses a "generic method" to inject code into Windows Vista x64.

Joanna Rutkowska describes her "blue pill" prototype:

Over the past few months I have been working on a technology code-named Blue Pill, which is just about that - creating 100% undetectable malware, which is not based on an obscure concept.

The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices, like graphics card, are fully accessible to the operating system, which is now executing inside virtual machine. This is all possible thanks to the latest virtualization technology from AMD called SVM/Pacifica.

She continues by comparing "blue pill" to the previously release "subvirt" prototype VM Rootkit and how the "blue pill" is a much more serious threat.

The "blue pill" technique effectively bypasses a crucial anti-rootkit policy change coming in Windows Vista that requires kernel-mode software to have a digital signature to load on x64-based systems.

The working "Blue Pill" prototype for Vista x64 will be demonstrated at the SyScan Conference 21 July and at the Black Hat Briefings on 3 Aug.

Joanna Rutkowska says on her blog that she will not make the "blue pill" source code available for download.

::scary::

	Microsoft Removes WGA 'Phone Home' Component	eweek.com	Wed Jun 28	0
	Compellent Aims to Simplify ILM	eweek.com	Mon Jun 26	0