Jump to content

100 percent undetectable rootkit

mark

By mark
in Technology News

 Share

Recommended Posts


Delprat

Delprat

Posted
Posted
"The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices," she explained.

Seems like it's a new variant of MDMA, like extasy.

++

Link to comment
Share on other sites
Guest Nazi Moderation

Guest Nazi Moderation

Posted
Posted (edited)

i actually don't think this will end up being that revolutionary.

AV heuristics in the future will likely have an option to monitor virtualization, just as there are options now to restrict registry activity and scripts within documents.

though it may be undetectable once it's installed, the process of installation and the installer executable itself will certainly give it away.

Edited by Nazi Moderation
Link to comment
Share on other sites
hosebeast

hosebeast

Posted
Posted

From an academic standpoint, it is true that the OS itself wouldn't be able to detect the rootkit planted from the hypervisor.

However, from a practical standpoint, it will still be possible to detect the presence of an unrecognized (and therefore suspicious) hypervisor.

How? Well obviously it's possible for the installation of a hypervisor to be started from within the OS. That's how the Blue Pill would get installed in the first place. Therefore, it would be possible to launch the installation of a second hypervisor from within the same OS. Now either the first hypervisor (the Blue Pill in this case) will block the installation of the second, in which case you will know something is wrong, or the second hypervisor will succeed and become capable of detecting the rootkit.

With this in mind, the second hypervisor doesn't actually need to be a full-fledged permanently-installed hypervisor. It just needs to go through the same motions that a hypervisor installation would go through. Therefore, antimalware programs could include an "agent" or module which performs this task as part of every scan. This wouldn't be trivial for the major vendors to add, but still possible.

Link to comment
Share on other sites
-I-

-I-

Posted
Posted

thats not entirely true, as Kernel mode (run as system service) oculd also do the trick... a simple jepeg bug could than be Extremely Critical ....

one way of prenting this COULD be lying in the UEFI (if im correct) standard.

for example it could be possible to tell the BIOS chip how many Vertial Instances the cpu is allowed to handle....

even though this may require a reboot with every new-installed OS-instance

it would help...

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...