Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(eWeek)   What happens if Vista (or any other 64-bit OS, including Linux) takes the Blue Pill? 100% undetectable malware, that's what   (eweek.com) divider line 203
    More: Scary  
•       •       •

34338 clicks; posted to Main » on 30 Jun 2006 at 12:48 AM (8 years ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



203 Comments   (+0 »)
   

Archived thread

First | « | 1 | 2 | 3 | 4 | 5 | » | Last | Show all
 
2006-06-29 05:11:40 PM  
I read that yesterday. That's some scary stuff, and regardless of OS or how paranoid you are you're screwed.
 
2006-06-29 05:16:51 PM  
He 'thinks' it should be possible to port it to BSD or Linux. But he actually doesnt know. This exploit was built to rootkit Windows not *nix.
 
2006-06-29 05:26:11 PM  
teknishn: He 'thinks' it should be possible to port it to BSD or Linux. But he actually doesnt know. This exploit was built to rootkit Windows not *nix.


"We used our proof-of concept [rootkits] to subvert Windows XP and Linux target systems and implemented four example malicious services," the researchers wrote in a technical paper describing the attack scenario.
 
2006-06-29 05:36:43 PM  
Subby here.

As far as I can tell, the way this works is that it silently moves the OS into a VM, controlled by the Blue Pill. The malware sits outside the VM, where it cannot be detected by any means available to the OS. Even reading raw memory contents in a hexadecimal debugger won't work, since the whole point of a VM is to intercept calls to hardware, including the raw memory, and substitute the contents of the "virtual" hardware. Anti-virus software would likewise not have access to the memory where the malware sits. But the malware, being outside the VM, can do whatever it wants.

This will indeed work on any 64-bit OS, including Mac OS X now that it runs on Intel CPUs. 32-bit and 16-bit OSes are also vulnerable when running "hosted" under 64-bit OSes.
 
2006-06-29 05:49:18 PM  
The Intel CPUs that Mac OSX runs on are not 64-bit. They are all Core Duo or Core Solo 32 bit procs. So OSX cannot get hit with this.
 
2006-06-29 10:17:26 PM  
This kind of thing should be posted to the main page.
 
2006-06-29 11:03:24 PM  
Soooooo, the point of this endeavor was to prove that they could do it? sell it to the highest bidders?

Are we just all screwed? There's no one else on the horizon that's already working on a 'fix'?
 
2006-06-30 12:50:53 AM  
I hope Joanna Rutkowska dies horribly in a fire of BSOD proportions
 
2006-06-30 12:54:14 AM  
www.kirstenp.claranet.de

bring it.
 
2006-06-30 12:55:45 AM  
Anyone care to translate the article into English?
 
2006-06-30 12:55:54 AM  
Quick1: This kind of thing should be posted to the main page.

Hmm. For clarification, it was originally going to the Tech page.
 
2006-06-30 12:55:55 AM  
If you can masquerade privileged instructions, then yeah, it will work with any OS. However, this, as well as any other rootkit, is powerless against detection from a live CD.
 
2006-06-30 12:56:54 AM  
The Matrix has you...
 
2006-06-30 12:57:42 AM  
kb7rky: I hope Joanna Rutkowska dies horribly in a fire of BSOD proportions


Meh, the more people that know about this the more that will be working on fixing the issue

/of course that means the more working on exploits as well... but at least it's not all bad. It would be nice if they worked out a fix (even if in means making the next gen of x64 procs different), THEN held the press conference... but ah well.


Oh, and I understand that this can run undetected, but can it be INSTALLED undetected? If not, then at least people who aren't security-challenged would still be safe... and those that aren't would gain a big reason to learn what the hell they are doing.

/*nix user, but one who hasn't yet upgraded to a 64.
 
2006-06-30 12:58:35 AM  
teknishn... The Intel CPUs that Mac OSX runs on are not 64-bit. They are all Core Duo or Core Solo 32 bit procs. So OSX cannot get hit with this.

Yet. The G5 replacement machine is going to be a dual-cored 64-bit system. No word if the Intel chipset that Apple will use virtualization, which is what 'Blue Pill' requires, although I suspect it will.
 
2006-06-30 01:00:03 AM  
Me fixed: ...those that are would gain...

Oops...
 
2006-06-30 01:01:16 AM  
sounds like we need a bios option to disable virtualization.
 
2006-06-30 01:01:48 AM  
My guess is the only way to "fix" this is the nuke and format or the drive through an external program -- best case being a bootable floppy/CD/DVD... worse case involves removing the drive from the system and formatting it on another...
 
2006-06-30 01:02:09 AM  
This won't work on my system.

I can't say why, well, I could but I won't.
 
2006-06-30 01:02:51 AM  
Solution is simple: good software can install it's own rootkit above the malware!
 
2006-06-30 01:03:24 AM  
graeylin

Anyone care to translate the article into English?

"Every OS is vulnerable. Especially if the PC is plugged in. Especially if it is connected to teh intarweb."
 
2006-06-30 01:03:52 AM  
Undetectable my arse...

The only way I wouldn't detect that computer's been rootkitted with a VM is if I didn't notice that my games suddenly lost half their framerate, that my harddrive seemed smaller, and that I suddenly had a strange, non-multiple-of-256MB amount of memory after some got appropriated by the Blue Pill.

VM == your 'hardware' stats are less than they should be. If you have a clue what your computer should operate like, it's obvious if it's been pwned this way.

Now, getting RID of such a piece of malware is another story... It was suggested on /. to use an exploit against Blue Pill to VM-rootkit the VM-rootkit.
 
2006-06-30 01:07:17 AM  
So if I give my computer Viagra, it's farked?

/didn't RTFA
 
2006-06-30 01:09:29 AM  
How about we kill some of this black hat bastards? I mean, the only point of them doing this is to be dicks pretty much, and anyone who uses it is a dick, so let's just hack all the black hats like this with a machete..

No, they aren't doing it to be dicks. If they were, they wouldn't have publicized it, they'd just go off and hack a bunch of banks' computers and steal millions and get away with it. Somebody is going to figure it out eventually anyway.
If some nefarious person figured it out first, he wouldn't tell anyone. The people who make computer security would be months behind because they don't even know how it was done yet. At least this way, the security guys are months ahead of the bad guys, instead of months behind.
 
2006-06-30 01:09:53 AM  
Well it was sure nice of these shiatheads to give us a heads up
 
2006-06-30 01:12:39 AM  
Don't people have better things to do than figure this sort of thing out?
 
2006-06-30 01:14:19 AM  
GIS for Joanna Rutkowska.

www.it-defense.de

Blue pills not necessary.
 
2006-06-30 01:14:32 AM  
www.it-defense.de

All together now: "I'd infect it with malware!"
 
2006-06-30 01:14:53 AM  
erik-k

Read the article. The method used takes control of the devices to the point that it reports all devices as normal, and is so lean and clean that it doesn't make a noticeable impact on system resources.

The only reason you know VM is running on a machine is because current VM code is so bulky and resource hogging. This VM is not because it's designed that way.
 
2006-06-30 01:15:48 AM  
You can do this with solaris 10 so I'm guessing other Unixes aren't far behind.

This is why you want to be able to independently verify every bit of key software on the system from boot block to initial code and kernel. These cute binary files with no documentation to start up key programs have to go away because its just so trivial to hide stuff in them.

erik-k
Its been typical for unix root kits to rewrite ps and top and other stat tools to hide the fact that they are there. Its trivial to hide the tiny memory that a hand coded vm application would take.
 
2006-06-30 01:17:14 AM  
WaffenSS

How about we kill some of this black hat bastards? I mean, the only point of them doing this is to be dicks pretty much, and anyone who uses it is a dick, so let's just hack all the black hats like this with a machete..

kb7rky [TotalFark]

I hope Joanna Rutkowska dies horribly in a fire of BSOD proportions


Why all the hate for this guy? You're complaining about this engineer, but you should be thanking them. They found the exploit and they're showing it to MS & putting the hack out on display. You know they're working on the fix, or at least detection for this isue. Read the article before you bash the really bright engineer who's helping everyone out by making this public.
 
2006-06-30 01:17:50 AM  
0. You'll never hear anything from true "black hats"

1. NOTHING is undetectable/unremovable

10. This would never even touch any of my systems.

11. I'd like to see a demo nonetheless

Black Hat eh? Who's up for a game of "spot the fed"?
 
2006-06-30 01:18:07 AM  
Darn you, antithetype! Darn you to heck!
 
2006-06-30 01:18:25 AM  
Microsoft needs to do a "win95" type move. Release an OS that's really fresh and new. I mean, Vista? I installed the beta on my extra pc and it's bug city. And there seems to be less features than xp.

I have a feeling I am going to have the same longing feelings for XP as I did for ms2000. ms2000 was just a wonderful os.
 
2006-06-30 01:18:33 AM  
Anyone want to translate to those of us whom are too lazy to google the word "rootkit"?
 
2006-06-30 01:19:54 AM  
WaffenSS: How about we kill some of this black hat bastards? I mean, the only point of them doing this is to be dicks pretty much, and anyone who uses it is a dick, so let's just hack all the black hats like this with a machete.


Nah, bad idea. Black hats root out the vulnerabilities in these complex systems and point out the critical flaws. It all results in a better product for the end user. Like was said in earlier posts, it's better to have them find the flaws and publish them as an academic exercise than have malicious crackers using the exploits for theft, espionage or worse.
 
2006-06-30 01:23:19 AM  
Pestifier: Darn! So close. Was it good for you?
 
2006-06-30 01:24:24 AM  
Why does the internet hate me for surfing pr0n? Malware should be reserved for places like Hampsterdance...

/so I've been told
 
2006-06-30 01:24:28 AM  
Ok. Seriously I have tried in vane to get a handle on a lot of this uber-computer geek knowledge of how computers work and such but everytime I try to start learning I start way too far at the beginning.

I know how the switches work and loops and processors and 8 bit memory and on and on. I also can program a lot of so called computer nerds under the table. But I never stuck with learning the higher level OS stuff because I really don't know "what" I don't know or where to go to learn it DIY. Where can I start. Anybody wanna help a brother out. Links? Books? Google search terms? Anything is truly appreciated
 
2006-06-30 01:24:46 AM  
detatched_sr

they already knew, most likely. This is nothing more than a fancified bootsector virus from the DOS days. Detection is the same as well. Once a month or so, boot with the AV disk, and run a rootkit scan. It's only undetectable until you reboot.

And you just make sure you don't run untrusted programs as root. Shame windows users allow software makers to put out code that's so crappy as to require root access for day to day work.
 
2006-06-30 01:24:57 AM  
"Hello Dave."
 
2006-06-30 01:25:31 AM  
I'm still waiting for one reason why anyone would actually want to use vista.
 
2006-06-30 01:25:58 AM  
What's a boot disk?


/actually knows what one is
//is old school
 
2006-06-30 01:28:28 AM  
Nekomusume

I'm still waiting for one reason why anyone would actually want to use vista.

BEcause it will come preinstalled on new PC's in the next year or so.
 
2006-06-30 01:32:23 AM  
So, let me get this straight...

The actual malware sits on another machine, and executes it's processes through a virtual machine on the target victim?

Detection options if this is a scenario:

1. While connected to the internet, run a packet-tracing program (hmmm...Packet Tracer?) and watch the hits pop up. Sure, you'd have to sort through the expected stuff, but there shouldn't be too much.

2. If there is a vm running on your computer, for those of you that have never fired one up, the performance is dramatically reduced. It's more than noticeable.

3. I'm going to guess that the vm is running as hidden process, as well as Vista or OSX having similar debugs as XP. Simply running msconfig and looking at startup, or processes in general should locate the culprit for easy blocking. If that doesn't work, downloading or using a built in advanced process manager that shows hidden processes to locate and quarentine the questionable processes should be not only a detection method, but a cure-all.

Getting rid of the malware is another matter. Root-kits are manageable, but if for some unspeakable reason this one is not, the solution would be to find the port on which the malware is reaching your computer and blocking all trafic on it.

Just some thoughts.
 
2006-06-30 01:32:27 AM  
tattoo_twang

It's 1:31am here, my name is Dave, reading that at this time in this thread managed to freak me out for a split second.

I hope you're happy.
 
2006-06-30 01:35:20 AM  
Oh, and being 64 bit has nothing to deal with this vector of attack. The processor needs to support certain virtualization extensions, AMD and Intel's codenames escaping me. For example, my Athlon 64 laptop is not vulnerable to this attack, because it doesn't have the extensions. My 32 bit intel-based mac mini, OTOH, probably does support these extensions, and thus is vulnerable.
 
2006-06-30 01:37:15 AM  
Of course it's detectable. Simply tune the deflector dish to create an inverse tachyon beam to detect the residual protons from the vm malware, reverse the polarity in the Jeffries tubes to cophase the hypervisor transcpu timing chain within its static warp bubble, and voila, well it's really just a small matter of programming from there.
 
2006-06-30 01:38:00 AM  
So are saying soon I won't be able to fark anymore?

Thank God still got those amigas.
 
2006-06-30 01:38:58 AM  
Well, isn't that just farkin g-r-e-a-t. It's time to setup a huge harddrive on a server, create a new Ghost image of your main machine on a weekly basis, and get ready to image, image, image. Glad I have several machines at home, and a monster drive on one of them. I feel sorry for people who don't know how to do this shiat. They'll be paying guys like me a lot of money.
 
Displayed 50 of 203 comments

First | « | 1 | 2 | 3 | 4 | 5 | » | Last | Show all



This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
Advertisement
On Twitter





In Other Media


  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.

Report