Black Hat researchers to release virtualized rootkit detector
August 1, 2007
LAS VEGAS -- Black Hat -- The researchers who publicly challenged Joanna Rutkowska to prove her virtualization-based rootkit is undetectable today said they are ready to release a tool that can detect her stealth virtual machine code. (See Hacker Smackdown.)
Thomas Ptacek, co-founder and researcher with Matasano Security; Nate Lawson, researcher at Root Labs; and Peter Ferrie, senior researcher at Symantec, demonstrated how their Samsara rootkit detection platform and testbed would shatter Rutkowksa's claims that there's no way to detect her VM code, called Blue Pill.
In a session called "Don't Tell Joanna, The Virtualized Rootkit Is Dead," the researchers argued that virtualized rootkits will always be a cat-and-mouse chase. They argue that virtualized rootkits leave a trail, and the malware would have to be bug-free to really emulate a system.
"Nothing is 100 percent undetectable," Lawson says. "We found a way to detect all rootkits out there."
But Rutkowska, who attended the session here today and is scheduled to present her latest virtualized rootkit research this afternoon with colleague Alexander Tereshkin, said afterward that their presentation didn't sway her position about Blue Pill's stealthiness.
Ptacek, Lawson, and Ferrie recently issued a challenge to Rutkowska, founder of Invisible Things Lab, to prove her claims by letting them use their tool to find Blue Pill in one of two laptops, one that was infected and the other that was clean. Rutkowska countered their contest rules by saying that more work needed to be done to make her code "commercial grade," and the contest never got off the ground. "Our challenge probably wasn't fair... It was on such short notice," Ptacek said in the presentation. "But we think this [tool] would work against her."
The tool will be released in binary format, and won't be "weaponizable," so it wouldn't be much use to an attacker, they said. It runs only on the MacBook based on Intel Core Duo Version 10.4.
Lawson says the researchers hope others will take the code and build on it for future testing and research. Samsara comes with a virtualized rootkit testbed component as well.
"It's hard to prove you're undetectable if you don't have an adversary. We're trying to provide you with that [adversary]," Ptacek says.
Still, the researchers admit this type of rootkit isn't a real threat today. "We've seen three VT-type rootkits, and none are in the wild infecting systems," Lawson says.
— Kelly Jackson Higgins, Senior Editor, Dark Reading
Symantec Corp. (Nasdaq: SYMC)
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024