14 DAY TRIAL // The undetectable Blue Pill rootkit designed for the 64-bit editions of Windows Vista by Joanna Rutkowska CEO of Invisible Things Lab, just got a whole lot more detectable as McAfee got in on the game. Rutkowska claims that the Blue Pill virtualization based rootkit that she demonstrated initially on a 64-bit edition of Vista running on top of an AMD processor, is virtually undetectable. Peter Ferrie from Symantec along with Thomas Ptacek from Matasano Security and Nate Lawson of Root Labs, challenged Rutkowska to give a crack at detecting the Blue Pill. Although a test was never completed, both parties remain firm on positions.
More recently, Ahmed Sallam, McAfee Avert Labs Lead Security Research Architect, joined sides with Ferrie, Ptacek and Lawson. "Joanna, we can detect the Blue Pill so you may stop claiming that it is undetectable," Sallam said. "Speaking from my experience in the Anti-Rootkit space over twelve years, including my last project/product offered by McAfee 'The McAfee Rootkit Detective', I totally believe that 'there is no rootkit that is undetectable'."
It is important to understand that hypervisors will become generalized technology in the future. Both Intel and AMD, as well as developers of operating systems are hard at work including virtualization at processor level respectively as an integer part of the software platforms. The problem with system virtualization facilities at processor level is that currently a comprehensive security policy is lacking. Sallam referred to this as a design flaw.
"Providing a hardware based virtualization support without protecting it with sound security policy is a major flaw in the system design! Hardware assisted hypervisors have the freedom to choose which software execution facility to virtualize and control. Blue Pill and other types of malicious hypervisors were anticipated by security experts who are well acquainted with the processor architecture," Sallam added. "There is no rootkit that is undetectable even if it installs itself as a hypervisor. The challenge is always in how to repair rootkits once they control some layer in the system architecture."