14 DAY TRIAL // Virtualization based malware is either an emerging threat completely undetectable, or a limp and useless pile of proof of concept code, already dead even before it has drawn its first breath of fresh air. It is all a matter of perspective in the security community. And the views are divided between Joanna Rutkowska of Invisible Things Lab and Nate Lawson from Root Labs, Peter Ferrie from Symantec and Thomas Ptacek from Matasano. While Rutkowska claims that her Blue Pill virtualized rootkit designed for 64-bit Windows Vista is undetectable, the other three researchers don't seem to see eye to eye on the issue and offer the example of Samsara, a framework for HVM malware detection.
Sophos is the latest security outfit to jump in the Virtualization Detection vs. Blue Pill Detection game, courtesy of Vanja Svajcer, Principal Virus Researcher at SophosLabs. Svajcer stated that virtualization based malware is yet at quite a distance from becoming a standard threat. "Despite the hype and the opportunity I reckon that the hardware virtualization rootkits will stay outside the malware writer's arsenal for the foreseeable future for at least couple of reasons: complexity - malware writers can achieve their goals using much less sophisticated techniques and portability - Blue Pill is designed to work on 64-bit AMD processors which limits the coverage often required by malware," Svajcer commented.
However, the Blue Pill is indeed available for all to download. Well, actually just the proof of concept code, released by Joanna Rutkowska and Alexander Tereshkin. Still the danger exists that the Blue Pill, in its current form, would help germinate a new wave of threats. "the published detection methods have not prevented Joanna Rutkowska and Alexander Tereshkin from publishing the source code of New Blue Pill hardware virtualization rootkit. Unfortunately, this will allow less skilled members of the malware writing community to recompile the code and create new rootkits," Svajcer added.