Black Hat researchers to release virtualized rootkit detector

LAS VEGAS -- Black Hat -- The researchers who publicly challenged Joanna Rutkowska to prove her virtualization-based rootkit is undetectable today said they are ready to release a tool that can detect her stealth virtual machine code. (See Hacker Smackdown.)

Thomas Ptacek, co-founder and researcher with Matasano Security; Nate Lawson, researcher at Root Labs; and Peter Ferrie, senior researcher at Symantec, demonstrated how their Samsara rootkit detection platform and testbed would shatter Rutkowksa's claims that there's no way to detect her VM code, called Blue Pill.

In a session called "Don't Tell Joanna, The Virtualized Rootkit Is Dead," the researchers argued that virtualized rootkits will always be a cat-and-mouse chase. They argue that virtualized rootkits leave a trail, and the malware would have to be bug-free to really emulate a system.

"Nothing is 100 percent undetectable," Lawson says. "We found a way to detect all rootkits out there."

But Rutkowska, who attended the session here today and is scheduled to present her latest virtualized rootkit research this afternoon with colleague Alexander Tereshkin, said afterward that their presentation didn't sway her position about Blue Pill's stealthiness.

Ptacek, Lawson, and Ferrie recently issued a challenge to Rutkowska, founder of Invisible Things Lab, to prove her claims by letting them use their tool to find Blue Pill in one of two laptops, one that was infected and the other that was clean. Rutkowska countered their contest rules by saying that more work needed to be done to make her code "commercial grade," and the contest never got off the ground. "Our challenge probably wasn't fair... It was on such short notice," Ptacek said in the presentation. "But we think this [tool] would work against her."

The tool will be released in binary format, and won't be "weaponizable," so it wouldn't be much use to an attacker, they said. It runs only on the MacBook based on Intel Core Duo Version 10.4.

Lawson says the researchers hope others will take the code and build on it for future testing and research. Samsara comes with a virtualized rootkit testbed component as well.

"It's hard to prove you're undetectable if you don't have an adversary. We're trying to provide you with that [adversary]," Ptacek says.

Still, the researchers admit this type of rootkit isn't a real threat today. "We've seen three VT-type rootkits, and none are in the wild infecting systems," Lawson says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights