Blue Pill

Blue Pill is the codename for a controversial rootkit based on x86 virtualization technology that targets Microsoft's Windows Vista operating system. Blue Pill originally required AMD-V (Pacifica) virtualization support, but was later ported to support Intel VT (Vanderpool) as well. It was designed by Joanna Rutkowska and originally demonstrated at the Black Hat Briefings on August 3, 2006.

Overview

According to the author, by using Pacifica, Blue Pill would be able to trap a running instance of the operating system into a virtual machine, and would then act as a hypervisor, with complete control of the computer. Joanna Rutkowska claims that, since any detection program could be fooled by the hypervisor, such a system would be "100% undetectable". Since virtualization is supposed to be undetectable to the guest, the only way Blue Pill could be detected is if the virtualization itself is detectable—and thus flawed.^[1]

This assessment, repeated in numerous press articles, is disputed: AMD issued a statement dismissing the claim of full undetectability.^[2] Some other security researchers and journalists also dismissed the concept as inaccurate.^[3] For one thing, the x86 instruction set contains privileged instructions that cannot be virtualized; for another, any form of virtualization can be detected by a timing attack.^{[citation needed]}

In 2007, a group of researchers led by Thomas Ptacek of Matasano Security challenged Rutkowska to put Blue Pill against their rootkit detector software at this year's Black Hat conference,^[4] but the deal was deemed a no-go following Joanna's request for $384,000 in funding as a prerequisite for entering the competition.^[5] Rutkowska and Alexander Tereshkin countered detractors' claims during a subsequent Black Hat speech, arguing that the proposed detection methods were inaccurate.^[6]

The source code for Blue Pill has since been made public^[7].

Etymology

The name Blue Pill is a reference to the blue pill from the The Matrix.^{[citation needed]}

See also

• Red Pill - a technique to detect the presence of a virtual machine also developed by Joanna Rutkowska.[1]

References

1. ^ 'Blue Pill' Prototype Creates 100% Undetectable Malware, Ryan Naraine, eWeek.com
2. ^ Faceoff: AMD vs. Joanna Rutkowska, eWeek.com
3. ^ Debunking Blue Pill Myth, virtualization.info
4. ^ Rutkowska faces ‘100% undetectable malware’ challenge, Ryan Naraine at zdnet.com
5. ^ Blue Pill hacker challenge update: It’s a no-go, Ryan Naraine at zdnet.com
6. ^ Showdown at the Blue Pill Corral
7. ^ The Blue Pill Project

External links

• Introducing the Blue Pill by Joanna Rutkowska
• InternetNews - Blackhat takes Vista to Task
• Heading Off the Hackers - Business Week, August 10, 2006
• Blue Pill, Episode 54 of the Security Now Podcast
• Black Hat 2006 Presentation
• Source code
• Detecting and Blocking Blue Pill, Vitriol etc