We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message
80,259 News Articles

Blue Pill malware is 'undetectable' in Vista

Windows users might have to dump virtualisation

The researcher who developed Blue Pill, an attempt at producing undetectable malware for Windows Vista, is working on a stealthier version that could be finished within the next few months.

Polish malware specialist Joanna Rutkowska, who works as a senior researcher at Singapore's Computer Security Initiative Consultancy Pte, unveiled a prototype of Blue Pill earlier this year. "Blue Pill is about hijacking an OS [operating system], moving into a virtual machine, and taking control of it," she said during an interview at the HITB (Hack In The Box Security Conference) in Kuala Lumpur, Malaysia.

Blue Pill works by taking advantage of hardware virtualisation technology in AMD and Intel processors. Virtualisation allows computers to simultaneously run multiple OSes and applications in separate partitions. "Using this virtualisation technology should allow us to develop malware that is 100 percent undetectable," Rutkowska said.

The Blue Pill prototype demonstrated earlier this year came close to achieving this goal, but timing how long a computer takes to complete a given operation can theoretically be used to detect whether or not Blue Pill is running on a computer, Rutkowska said. She is now working on a new version of Blue Pill that is not detectable using this method.

One way to defend against Blue Pill is to disable the virtualisation capability in the processors, but that would be fiercely opposed by chip makers. "People spent years developing those new processors with virtualisation, and now you buy those new processors just to disable the virtualisation, right? Where's the logic?" she asked.

A more practical defence is for Microsoft to disable the paging of kernel memory in Vista, which means loading the kernel code and drivers, approximately 80MB of data, into main memory. This would prevent Blue Pill from accessing the kernel and executing code. "Who cares about 80MB? That's why I'm so surprised that even though I showed this attack at the end of July at the SysCan conference, it still hasn't been fixed in RC1," Rutkowska said, referring to the latest pre-production version of Vista.

In response, a Microsoft security specialist said the company continues to work on improving the security of Vista RC1 before the production version is shipped to customers. "There's still a few months before the final [version] does get released," said Mike Reavey, operations manager at the Microsoft Security Response Center.

IDG UK Sites

Windows 10 for phones UK release date, price and new features: When will my phone get Windows 10?

IDG UK Sites

It's World Backup Day 2015! Don't wait another minute: back up now

IDG UK Sites

Get the free Adobe Comp CC iPad app for rapid layout design

IDG UK Sites

New 13-inch Retina MacBook Pro (early 2015, 2.7GHz) review: Just about the greatest upgrade any...