14 DAY TRIAL // Following another presentation of the Blue Pill, the proof of concept code authored by Joanna Rutkowska, CEO of Invisible Things Lab with the help of Alexander Tereshkin Principal Researcher, at this year's Black Hat, after a similar demonstration in 2006, on 64-bit Windows Vista, Symantec has come out all guns blazing. Peter Ferrie, Senior Principal Researcher, Symantec Advanced Threat Research, opined that there is no such thing as 100% undetectable malware. And that in this context, Rutkowska's Blue Pill makes no exception.
Rutkowska claimed from the get go that the Blue Pill, her example of visualization based malware is undetectable. Thomas Ptacek the co-founder of Matasano Security, Nate Lawson, security expert with Root Labs and Peter Ferrie from Symantec, challenged Rutkowska and the undetectable Blue Pill. Still, although Rutkowska did accept their challenge, the two parties failed to agree on common terms.
In "Black Hat 2007 Las Vegas, I co-presented with Nate Lawson and Thomas Ptacek the detection of hypervisors. Previously, we had asked Joanna Rutkowska to prove her "100% undetectable" claim, but she had declined. However, we did manage to prove that our methods work. Joanna agreed that the TLB timing method that I first described in detail in 2006 works against BluePill. As she understood it, though, she thought that I presented it as a 'foolproof method for "Blue Pill detection"'. While I did present it as a foolproof method, I didn't refer to Blue Pill at all: I said that it would reliably detect a hypervisor, which it does. That it detects Blue Pill is a corollary," stated Ferrie.
Rutkowska however came hard on the group of security researchers and their proposed method to detect the Blue Pill. "The main point was that detecting virtualization is not the same as detecting virtualization based malware. If somebody announces to the world that they can fight virtualization based malware using generic virtualization detectors, it's like if they said that they can detect e.g. a botnet agent, just by detecting that an executable is using networking," she commented.
Ferrie however downplayed the relevance of the Blue Pill, undetectable virtualization based malware, arguing that the Blue Pill will in fact pose no risk whatsoever. "So, 100% undetectable malware? Not even close. Detecting the detector? Not going to work. And with hardware-based hypervisors on the horizon, no one will be swallowing the BluePill," Ferrie stated.