Tool Roots Out Virtualized RootkitsTool Roots Out Virtualized Rootkits
Black Hat researchers to release virtualized rootkit detector
August 1, 2007
LAS VEGAS -- Black Hat -- The researchers who publicly challenged Joanna Rutkowska to prove her virtualization-based rootkit is undetectable today said they are ready to release a tool that can detect her stealth virtual machine code. (See Hacker Smackdown.)
Thomas Ptacek, co-founder and researcher with Matasano Security; Nate Lawson, researcher at Root Labs; and Peter Ferrie, senior researcher at Symantec, demonstrated how their Samsara rootkit detection platform and testbed would shatter Rutkowksa's claims that there's no way to detect her VM code, called Blue Pill.
In a session called "Don't Tell Joanna, The Virtualized Rootkit Is Dead," the researchers argued that virtualized rootkits will always be a cat-and-mouse chase. They argue that virtualized rootkits leave a trail, and the malware would have to be bug-free to really emulate a system.
"Nothing is 100 percent undetectable," Lawson says. "We found a way to detect all rootkits out there."
But Rutkowska, who attended the session here today and is scheduled to present her latest virtualized rootkit research this afternoon with colleague Alexander Tereshkin, said afterward that their presentation didn't sway her position about Blue Pill's stealthiness.
Ptacek, Lawson, and Ferrie recently issued a challenge to Rutkowska, founder of Invisible Things Lab, to prove her claims by letting them use their tool to find Blue Pill in one of two laptops, one that was infected and the other that was clean. Rutkowska countered their contest rules by saying that more work needed to be done to make her code "commercial grade," and the contest never got off the ground. "Our challenge probably wasn't fair... It was on such short notice," Ptacek said in the presentation. "But we think this [tool] would work against her."
The tool will be released in binary format, and won't be "weaponizable," so it wouldn't be much use to an attacker, they said. It runs only on the MacBook based on Intel Core Duo Version 10.4.
Lawson says the researchers hope others will take the code and build on it for future testing and research. Samsara comes with a virtualized rootkit testbed component as well.
"It's hard to prove you're undetectable if you don't have an adversary. We're trying to provide you with that [adversary]," Ptacek says.
Still, the researchers admit this type of rootkit isn't a real threat today. "We've seen three VT-type rootkits, and none are in the wild infecting systems," Lawson says.
— Kelly Jackson Higgins, Senior Editor, Dark Reading
About the Author(s)
You May Also Like
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023
Everything You Need to Know About DNS AttacksNov 30, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
How to Deploy Zero Trust for Remote Workforce Security
What Ransomware Groups Look for in Enterprise Victims
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks