“Blue Pill” Rootkit freely available



Security researcher and rootkit specialist Joanna Rutkowska has published the source-code of a completely rewritten “Blue Pill” virtualization rootkit.

The rootkit takes advantage of so called hardware virtualized machines (HMVs) to shift Windows into a virtual machine without the OS’s permission or recognition of the fact. Currentl only AMD’s VT-x/Pacifica technology is supported to pull Windows under the control of a hypervisor.

The “Blue Pill” project has been started by Joanna Rutkowaska and the first proof of concept had been demonstrated at the Black Hat conference in 2006. The idea behind a virtual machine rootkit is one of the most challenging in the field of computer security so far.

The excellent Security Now podcast with Steve Gibson and Leo LaPorte has dedicated a extremely informative episode to this technology.


4 Responses to ““Blue Pill” Rootkit freely available”

  1. Well, if Microsoft can’t deliver a decent virtualisation solution for the world + dog, this is definitely the way to go … ;(

  2. Yes, Microsoft is in big trouble here. I wonder though how far this concept reaches into the architecture of hardwae virtualization itself. If VM Ware is potentially vulnerable to this hypervisor attack hell will break lose.

  3. I don’t think it’s a attack but merely a rather clever way to hide a rootkit. Nevertheless it’s not a black hat people heaven per se: It’s a bit cubersome to access the network without windows noticing anything 😉 and there some things which are tricky to emulate like timing characteristics of certain low-level operations which need to be virtualized – I expect a classical detect/disguise arms-race between rootkits an Symantec et al, if this thing really flies in practice and becomes in widespread use.

  4. Thanks for your answer. I think you’re absolutely right about the arms race between rootkits and the security industry. Right now bluepill can spoof some of the timing characteristics of certain Windows instructions. One reason to rewrite bluepill was to improve exactly this ability but nevertheless it is one of the weak points of this attack. On the other hand it still sems to be the most elegant idea to gain full root acces to a machine without the OS’s knowldege. Still, might it be possible to extend this to other virtualization solutions and architectures?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: