Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Sign in to follow this  
mark

100 percent undetectable rootkit

Recommended Posts


i don't beleive this one little bit... because u would think that a data recovery tool would help find this file...

Share this post


Link to post
Share on other sites
"The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices," she explained.

Seems like it's a new variant of MDMA, like extasy.

++

Share this post


Link to post
Share on other sites
Guest Nazi Moderation

i actually don't think this will end up being that revolutionary.

AV heuristics in the future will likely have an option to monitor virtualization, just as there are options now to restrict registry activity and scripts within documents.

though it may be undetectable once it's installed, the process of installation and the installer executable itself will certainly give it away.

Edited by Nazi Moderation

Share this post


Link to post
Share on other sites

From an academic standpoint, it is true that the OS itself wouldn't be able to detect the rootkit planted from the hypervisor.

However, from a practical standpoint, it will still be possible to detect the presence of an unrecognized (and therefore suspicious) hypervisor.

How? Well obviously it's possible for the installation of a hypervisor to be started from within the OS. That's how the Blue Pill would get installed in the first place. Therefore, it would be possible to launch the installation of a second hypervisor from within the same OS. Now either the first hypervisor (the Blue Pill in this case) will block the installation of the second, in which case you will know something is wrong, or the second hypervisor will succeed and become capable of detecting the rootkit.

With this in mind, the second hypervisor doesn't actually need to be a full-fledged permanently-installed hypervisor. It just needs to go through the same motions that a hypervisor installation would go through. Therefore, antimalware programs could include an "agent" or module which performs this task as part of every scan. This wouldn't be trivial for the major vendors to add, but still possible.

Share this post


Link to post
Share on other sites

Hmm...the virus reminds me of the movie "The Matrix" for some reason...dunno why though.

Share this post


Link to post
Share on other sites
Hmm...the virus reminds me of the movie "The Matrix" for some reason...dunno why though.
Same thought here... :lol:

Share this post


Link to post
Share on other sites

She also published the "Red Pill". ;)

1- yes, she !

2- it is probably serious. imho the main reason it should not work is some rights should be needed to use virtualization.

Share this post


Link to post
Share on other sites

thats not entirely true, as Kernel mode (run as system service) oculd also do the trick... a simple jepeg bug could than be Extremely Critical ....

one way of prenting this COULD be lying in the UEFI (if im correct) standard.

for example it could be possible to tell the BIOS chip how many Vertial Instances the cpu is allowed to handle....

even though this may require a reboot with every new-installed OS-instance

it would help...

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...