Tool Roots Out Virtualized Rootkits

Black Hat researchers to release virtualized rootkit detector

LAS VEGAS -- Black Hat -- The researchers who publicly challenged Joanna Rutkowska to prove her virtualization-based rootkit is undetectable today said they are ready to release a tool that can detect her stealth virtual machine code. (See Hacker Smackdown.)

Thomas Ptacek, co-founder and researcher with Matasano Security; Nate Lawson, researcher at Root Labs; and Peter Ferrie, senior researcher at Symantec, demonstrated how their Samsara rootkit detection platform and testbed would shatter Rutkowksa's claims that there's no way to detect her VM code, called Blue Pill.

In a session called "Don't Tell Joanna, The Virtualized Rootkit Is Dead," the researchers argued that virtualized rootkits will always be a cat-and-mouse chase. They argue that virtualized rootkits leave a trail, and the malware would have to be bug-free to really emulate a system.

"Nothing is 100 percent undetectable," Lawson says. "We found a way to detect all rootkits out there."

But Rutkowska, who attended the session here today and is scheduled to present her latest virtualized rootkit research this afternoon with colleague Alexander Tereshkin, said afterward that their presentation didn't sway her position about Blue Pill's stealthiness.

Ptacek, Lawson, and Ferrie recently issued a challenge to Rutkowska, founder of Invisible Things Lab, to prove her claims by letting them use their tool to find Blue Pill in one of two laptops, one that was infected and the other that was clean. Rutkowska countered their contest rules by saying that more work needed to be done to make her code "commercial grade," and the contest never got off the ground. "Our challenge probably wasn't fair... It was on such short notice," Ptacek said in the presentation. "But we think this [tool] would work against her."

The tool will be released in binary format, and won't be "weaponizable," so it wouldn't be much use to an attacker, they said. It runs only on the MacBook based on Intel Core Duo Version 10.4.

Lawson says the researchers hope others will take the code and build on it for future testing and research. Samsara comes with a virtualized rootkit testbed component as well.

"It's hard to prove you're undetectable if you don't have an adversary. We're trying to provide you with that [adversary]," Ptacek says.

Still, the researchers admit this type of rootkit isn't a real threat today. "We've seen three VT-type rootkits, and none are in the wild infecting systems," Lawson says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Matasano Security LLC
  • Symantec Corp. (Nasdaq: SYMC)