With support for full hypervisors

Apr 1, 2008 18:04 GMT  ·  By

The BluePill is the code-name used by Joanna Rutkowska, Founder/CEO of Invisible Things Labs, formerly a security researcher with COSEINC, for the development of a virtualization-based rootkit designed to compromise Windows Vista back in 2006. According to Rutkowska, the BluePill is set up to deliver an ultra-thin hypervisor that places itself between the hardware and the operating system. The infected platform continues to run inside a virtual machine controlled by the attacker, and because of this no security solutions deployed inside the operating system will be able to detect the underlying rootkit. Well, since 2006, a new version of the the BluePill, authored by Alexander Tereshkin, Principal Researcher Invisible Things Lab, has been evolving. The reloaded BluePill is now capable of running full hypervisors such as Virtual PC 2007.

"We can now virtualize complex hypervisors, like e.g. Virtual PC 2007 or Virtual Box with SVM turned on (BTW, we can also run VMWare Workstation, but that doesn't count, as on AMD processors it doesn't make use of SVM instructions)," Rutkowska explained. "I couldn't resist not to use my favorite Matrix analogy to describe what we do here: imagine Neo, who bravely followed The White Rabbit and finally decided to swallow The Red Pill, eventually awakes on The Nebuchadnezzar ship just to find out later that this whole 'real world' is... just another Matrix..."

This means that virtual machines can now be run inside a bluepilled operating system. Rutkowska even provided a screenshot of Windows XP running as a guest operating system inside a Virtual PC 2007 virtual machine installed on top of a Windows Vista platform that has been bluepilled. "The brand new source code with full virtualization support on AMD is now available on bluepillproject.org (you will need WDK6000 or newer to build it). Note that the (experimental) code for nested virtualization on Intel VT-x has been removed in this public version, leaving only the basic functionality if we run NBP on an Intel processor. Also, please note that the code for AMD-v, even though it proved to be very stable, is still just a proof of concept," Rutkowska added.

Photo Gallery (2 Images)

Windows Vista PC Concept
PC 2007 running inside an already bluepilled Vista and running Windows XP as its own guest
Open gallery