http://www.eweek.com/article2/0,1895,2152137,00.asp By Lisa Vaas eweek.com June 28, 2007 Joanna Rutkowska, the security researcher who one year ago built a working prototype, code-named Blue Pill, of a rootkit capable of creating malware that remains "100 percent undetectable," has tacitly conceded to a group of security researchers that the detector code they cooked up in the past month will in fact ferret out Blue Pillat this point in its development, at any rate. Tom Ptacek, security researcher and founder of New York-based Matasano Security, posted a note on June 27 saying that he, along with his fellow security researchers who had worked on hypervisor rootkit detection, were inviting Rutkowska to a challenge at Black Hat Briefings in Las Vegas sometime on Aug. 1 or 2. "Joanna, we respectfully request terms under which you'd agree to an 'undetectable rootkit detection challenge.' We'll concede almost anything reasonable; we want the same access to the (possibly-)infected machine that any anti-virus software would get," Ptacek wrote. Rutkowska posted a message saying she was ready for the challenge. But she stipulated that the challenging researchersPtacek, Nate Lawson of Root Labs, Symantec researcher Peter Ferrie and Matasano's Dino Dai Zovifund two people, full-time for six months at $200 per hour, to develop the rootkit to a state of readiness. "She says she'll have completed it enough to compete in conference by then," Lawson said to eWEEK in an interview. "For $416,000 she wants us to pay her to write a rootkit which we're confident we'll be able to detect. We spent one one-person month coding the detector, and it will take her 16 times longer than it took us to write the detector, and we still believe we'll win." "Nobody said that writing rootkits is an easy process," Rutkowska retorted in an e-mail exchange with eWEEK. "It is not, it requires time to make a rootkit something more than a prototype." Ptacek said Rutkowska, who has lately founded Invisible Things Lab, based in Warsaw, Poland, by asking for more time, money and resources to make the rootkit undetectable has conceded that it can indeed be detected. "In her judgment, we are likely to be able to detect Blue Pill at Black Hat. We'd go a step further: We can detect arbitrary hypervisor rootkits, not just Blue Pill. But on the topic of Joanna's Blue Pill work, it appears that Matasano, Root Labs, Invisible Things Lab and Symantec agree. It's detectable," he said. Rutkowska said in her posting that what she has right now is a prototype that would require $384,000 to turn into something "hard to detect." "Overtly implying that what she has now ISN'T hard to detect," Ptacek said in an e-mail exchange. "It has cost us a month of spare time to get to the point where we can detect what Joanna has now. If it costs us a month to detect the $400,000 'commercial-grade' Blue Pill, that's a 16-to-1 advantage we apparently hold. The new name of this story is 'how to lose an arms race.'" "Ptacek is free to derive his own conclusions, but that will always be thathis interpretation of what I said," Rutkowska said in her e-mail exchange. "I really do not see how this debate leads anywhere. We will present our research and thoughts on the feasibility of detecting virtualization-based malware during our talk at Black Hat." Besides, Rutkowska pointed out, raising the money required to "weaponize" Blue Pill shouldn't be much of a challenge, given the vendors that have hooked onto the virtualization market. "If [Ptacek] indeed feels he's so right, he should not have much problems convincing some big companies to sponsor the contestI can name at least several big companies that would be very interested in proving the virtualization-based malware is not a threat," she said. Blue Pill was based on Rutkowska's work with Advanced Micro Devices' SVM/Pacifica virtualization technology. Working independently but in parallel, Matasano's Dai Zovi also presented a hypervisor rootkit, "Vitriol," for Intel's VT-x extensions at Black Hat in 2006, at the same conference at which Rutkowska presented Blue Pill. Lawson described the "undetectable" rootkit's fatal flaw this way: A rootkit has to deal with a metric called cross-section, which is the amount of a given system that a rootkit has to emulate or hide from a detector technology so that the rootkit can remain invisible. For example, a rootkit that was just a single byte modified in an obscure part of a system is much harder to detect than a complex program with millions of lines of code that hooks into the system all over the place. The simplest rootkit will install script, or patch a Web server, or a kernel, or BIOS or firmwareall different layers at which rootkits can be implemented. The simpler the rootkit, the smaller the part of the system it will affect, and the smaller part of the system that it will then have to hide from, Lawson said. The hypervisor level is the layer between the operating system and the hardware itself. Both Vitriol and Blue Pill installed at the hypervisor level. To stay invisible at the hypervisor level, a rootkit has to emulate all the underlying hardware while it goes about whatever mischief is its main purpose. When it executes, the rootkit has to adjust timer values measured by the operating system, subtracting out the cycles it used to do its own work. That's just one small area of the work a hypervisor rootkit has to do to hide itself, Lawson said. What makes Blue Pill even more unwieldy is that Rutkowska chose X86 hardware, which has a "huge" cross-section, Lawson said. Imagine how many different versions of AMD hardware, chip sets, PC manufacturers and other variables a rootkit has to contend with, and it begins to become clear that a rootkit author has similar problems as Microsoft does in dealing with hardware drivers. Unfortunately for Blue Pill, it has to do more than function as a driver does; it has to function identically to the hardware drivers it's trying to emulate. Again, "[With] a large variety of hardware to emulate, it becomes [unwieldy]," Lawson said. "The advantage is always fundamentally in the detector's hands. The system is already rigged from the beginning, because [Rutkowska] chose the hypervisor level for implementing her rootkit. She chose poorly because she chose a level so complex," he said. The researchers' work has to date shown that hypervisor rootkits, as well as rootkits that target the equally complex layer of BIOS, are detectable. The group doesn't plan to turn the detector code they cooked up into a product, given that the only two rootkits known to work at these levels are proofs of concept, they said. Instead, Ferrie, Ptacek and Lawson plan to get up on stage at Black Hat for free, Ptacek said. "And, for free, we're going to explain what we do to detect hypervisor malware. And, for free, we're going to show the code we use to do it." None of this is meant to disparage Rutkowska's groundbreaking work, Ptacek emphasized. "I hope that I'm not coming across as disrespectful of Joanna. She's smarter than me, but wrong," he said. If Rutkowska in fact manages to perfect her Blue Pill prototype before Black Hat, Ptacek said, the challenge is on. "We'd love it if she'd take us up on our challenge. If it takes longer, we're happy to do it some other time," he said. 5B _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Thu Jun 28 2007 - 22:36:21 PDT