Jump to content
MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. ×

100 percent undetectable rootkit


Recommended Posts


"The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices," she explained.

Seems like it's a new variant of MDMA, like extasy.

++

Link to post
Share on other sites
Guest Nazi Moderation

i actually don't think this will end up being that revolutionary.

AV heuristics in the future will likely have an option to monitor virtualization, just as there are options now to restrict registry activity and scripts within documents.

though it may be undetectable once it's installed, the process of installation and the installer executable itself will certainly give it away.

Edited by Nazi Moderation
Link to post
Share on other sites

From an academic standpoint, it is true that the OS itself wouldn't be able to detect the rootkit planted from the hypervisor.

However, from a practical standpoint, it will still be possible to detect the presence of an unrecognized (and therefore suspicious) hypervisor.

How? Well obviously it's possible for the installation of a hypervisor to be started from within the OS. That's how the Blue Pill would get installed in the first place. Therefore, it would be possible to launch the installation of a second hypervisor from within the same OS. Now either the first hypervisor (the Blue Pill in this case) will block the installation of the second, in which case you will know something is wrong, or the second hypervisor will succeed and become capable of detecting the rootkit.

With this in mind, the second hypervisor doesn't actually need to be a full-fledged permanently-installed hypervisor. It just needs to go through the same motions that a hypervisor installation would go through. Therefore, antimalware programs could include an "agent" or module which performs this task as part of every scan. This wouldn't be trivial for the major vendors to add, but still possible.

Link to post
Share on other sites

thats not entirely true, as Kernel mode (run as system service) oculd also do the trick... a simple jepeg bug could than be Extremely Critical ....

one way of prenting this COULD be lying in the UEFI (if im correct) standard.

for example it could be possible to tell the BIOS chip how many Vertial Instances the cpu is allowed to handle....

even though this may require a reboot with every new-installed OS-instance

it would help...

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...