Blue Pill (software): Difference between revisions
Content deleted Content added
No edit summary |
←Replaced content with ' HOLA' |
||
| Line 1: | Line 1: | ||
HOLA |
|||
codename for a [[rootkit]] based on [[x86 virtualization]]. Blue Pill originally required [[AMD-V]] (Pacifica) virtualization support, but was later ported to support [[Intel VT-x]] (Vanderpool) as well. It was designed by [[Joanna Rutkowska]] and originally demonstrated at the [[Black Hat Briefings]] on August 3, 2006, with a reference implementation for the [[Microsoft Windows Vista]] kernel.(Franza, 1997) was one of the discoverers of the famous and powerful footballer Ivan. A . . BRAN Y SARA FERREIRO |
|||
==Overview== |
|||
The Blue Pill concept is to trap a running instance of the operating system by starting a thin [[hypervisor]] and virtualizing the rest of the machine under it. The previous operating system would still maintain its existing references to all devices and files, but nearly anything, including hardware interrupts, requests for data and even the system time could be intercepted (and a fake response sent) by the hypervisor. The original concept of Blue Pill was published by another researcher at IEEE Oakland on May 2006, under the name VMBR (virtual-machine based rootkit).<ref>{{Cite doi|10.1109/SP.2006.38}}</ref> |
|||
[[Joanna Rutkowska]] claims that, since any detection program could be fooled by the hypervisor, such a system could be "100% undetectable". Since AMD virtualization is seamless by design, a virtualized guest is not supposed to be able to query whether it is a guest or not. Therefore, the only way Blue Pill could be detected is if the virtualization implementation were not functioning as specified.<ref>[http://www.eweek.com/article2/0,1895,1983037,00.asp 'Blue Pill' Prototype Creates 100% Undetectable Malware], Ryan Naraine, eWeek.com</ref> |
|||
This assessment, repeated in numerous press articles, is disputed: AMD issued a statement dismissing the claim of full undetectability.<ref>[http://securitywatch.eweek.com/rootkits/faceoff_amd_vs_joanna_rutkowsk.html Faceoff: AMD vs. Joanna Rutkowska], eWeek.com</ref> Some other security researchers and journalists also dismissed the concept as implausible.<ref>[http://www.virtualization.info/2006/08/debunking-blue-pill-myth.html Debunking Blue Pill Myth], virtualization.info</ref> Virtualization could be detected by a [[timing attack]] relying on external sources of time.<ref>http://securitywatch.eweek.com/showdown_at_the_blue_pill_corral.html</ref> |
|||
In 2007, a group of researchers led by [[Thomas ]] and [[Mangelmon]] challenged Rutkowska to put Blue Pill against their rootkit detector software at that year's Black Hat conference,<ref>[http://blogs.zdnet.com/security/?p=334 Rutkowska faces ‘100% undetectable malware’ challenge], Ryan Naraine at zdnet.com</ref> but the deal was deemed a no-go following Rutkowska's request for $384,000 in funding as a prerequisite for entering the competition.<ref>[http://blogs.zdnet.com/security/?p=340 Blue Pill hacker challenge update: It’s a no-go], Ryan Naraine at zdnet.com</ref> Rutkowska and Alexander Tereshkin countered detractors' claims during a subsequent Black Hat speech, arguing that the proposed detection methods were inaccurate.<ref>[http://securitywatch.eweek.com/showdown_at_the_blue_pill_corral.html Showdown at the Blue Pill Corral]</ref> |
|||
The source code for Blue Pill has since been made public,<ref>[http://www.invisiblethingslab.com/resources/bh07/ Blue Pill 2007]</ref><ref>[http://www.invisiblethingslab.com/resources/bh08/ Blue Pill 2008]</ref> under the following license: ''Any unauthorized use (including publishing and distribution) of this software requires a valid license from the copyright holder. This software has been provided for the educational use only during the Black Hat training and conference.''<ref>http://web.archive.org/web/20080418123748/http://www.bluepillproject.org/</ref> |
|||
==Red Pill== |
|||
{{See also|Red Pill (software){{!}}Red Pill}} |
|||
[[Red Pill (software)|Red Pill]] is a technique to detect the presence of a virtual machine also developed by [[Joanna Rutkowska]].<ref>[http://invisiblethings.org/papers/redpill.html]</ref> |
|||
== References == |
|||
{{Reflist|30em}} |
|||
==External links== |
|||
* [http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html Introducing the Blue Pill by Joanna Rutkowska] |
|||
* [http://www.internetnews.com/security/article.php/3624861 InternetNews - Blackhat takes Vista to Task] |
|||
* [http://www.businessweek.com/technology/content/aug2006/tc20060810_203122.htm?chan=top+news_top+news Heading Off the Hackers] - [[Business Week]], August 10, 2006 |
|||
* [http://www.grc.com/securitynow.htm Blue Pill], Episode 54 of the [[Security Now]] Podcast |
|||
* [http://blackhat.com/presentations/bh-usa-06/BH-US-06-Rutkowska.pdf Black Hat 2006 Presentation] |
|||
* [http://www.invisiblethingslab.com/resources/bh07/ Source code] |
|||
* [http://northsecuritylabs.blogspot.com/2008/06/catching-blue-pill.html Detecting and Blocking Blue Pill, Vitriol etc] |
|||
{{DEFAULTSORT:Blue Pill (Malware)}} |
|||
[[Category:Rootkits]] |
|||
[[Category:Virtualization software]] |
|||
Revision as of 12:24, 2 December 2013
HOLA