"Blue Pill" Malware

  • Thread starter Thread starter Mark D. VandenBerg
  • Start date Start date
Hmmm... The line in there that I noticed was

...snip.. "the new Blue Pill concept uses AMD's SVM/Pacifica virtualization
technology to create an ultra-thin hypervisor that takes complete control of
the underlying operating system." ..snip..

Wonder if that means it only effects AMD systems...lol


--
Takali S. Omega
Manager, Raven Mill Computers
Owner, SynTaks E-Works
Host of TechTAK on KFAR 660am
------------------------------------------------------------
ASUS P5N32SLI Deluxe
Intel Presler Pentium D 950
2GB OCZ DDR2-800
2x eVGA 7600 SLI
2x WD 250 SATA2
-------------------------------------


| This, and other similar reports is suggesting a fundamental security
breech
| exists in Windows Vista x64. Is there any validity too this?
|
| Here's the link, but it's prevalent in searches as well:
|
| http://www.eweek.com/article2/0,1895,1983037,00.asp
|
| --
| Mark
|
| Keeping the fun in dysfunctional!
|
 
True enough, but the part that should concern people is that, if this
concept is true, this is not specific to Windows, but viable with Linux as
well.
 
Depends on the delivery package.

Mark D. VandenBerg said:
True enough, but the part that should concern people is that, if this
concept is true, this is not specific to Windows, but viable with Linux as
well.
Click to expand...
 
Right...which seems almost humorous to me. Sorry if that sounds bad, but it
will remove a thorn in my side from the debates with my LFWPT and the idea
that Linux is totally secure and is absolutely immune to attack...same goes
for Mac users.

It will be interesting to see if anyone makes use of it. I have a show to
do in an hour and a half and will bring it up just as a matter of reference.

I don't mean to plug my show, but since the topic this week is Vista, I
figgered maybe some of you might be interested. You can listen in on the
stream at the website. http://www.techtak.com The site will be totally
redesigned later this coming week, as I hate what it looks like now. It's
not a "fancy" Kim Komando kind of show, but mostly just me and my wife
bantering back and forth. It's a small show. We have fun doing it, but we
really want to start getting serious about Vista on it, so we appreciate any
feedback from folks. (Might even be nice to have some halfway knowledgable
people call in...lol)

I sure hope Vista doesn't turn out to be a great OS and still be the bashing
bag like the rest just because people hate MS so much. So far, to be
honest, I like Vista x64. Of course it has some bugs...maybe even a lot of
them...but that's why we get the honor of beta testing it.

One question I've been meaning to ask folks on the ng... How many of you
are reporting your problems and/or solutions to the MS feedback system for
the Beta? You DO realize, I hope, that that's what this beta release is
for, right? To let them know of the problems you find?

--
Takali S. Omega
Manager, Raven Mill Computers
Owner, SynTaks E-Works
Host of TechTAK on KFAR 660am
------------------------------------------------------------
ASUS P5N32SLI Deluxe
Intel Presler Pentium D 950
2GB OCZ DDR2-800
2x eVGA 7600 SLI
2x WD 250 SATA2
-------------------------------------


| True enough, but the part that should concern people is that, if this
| concept is true, this is not specific to Windows, but viable with Linux as
| well.
|
| --
| Mark
|
| Keeping the fun in dysfunctional!
|
| | > The AMD Pacifica and Intel VT technologies are different.
| >
| > "Raven Mill @techtak.com>" <ravenmill<nospam> wrote in message
| > | >> Hmmm... The line in there that I noticed was
| >>
| >> ..snip.. "the new Blue Pill concept uses AMD's SVM/Pacifica
| >> virtualization
| >> technology to create an ultra-thin hypervisor that takes complete
control
| >> of
| >> the underlying operating system." ..snip..
| >>
| >> Wonder if that means it only effects AMD systems...lol
| >>
| >>
| >> --
| >> Takali S. Omega
| >> Manager, Raven Mill Computers
| >> Owner, SynTaks E-Works
| >> Host of TechTAK on KFAR 660am
| >> ------------------------------------------------------------
| >> ASUS P5N32SLI Deluxe
| >> Intel Presler Pentium D 950
| >> 2GB OCZ DDR2-800
| >> 2x eVGA 7600 SLI
| >> 2x WD 250 SATA2
| >> -------------------------------------
| >>
| >>
| >> | >> | This, and other similar reports is suggesting a fundamental security
| >> breech
| >> | exists in Windows Vista x64. Is there any validity too this?
| >> |
| >> | Here's the link, but it's prevalent in searches as well:
| >> |
| >> | http://www.eweek.com/article2/0,1895,1983037,00.asp
| >> |
| >> | --
| >> | Mark
| >> |
| >> | Keeping the fun in dysfunctional!
| >> |
| >>
| >>
| >
| >
|
 
I have cruised 20-25 different articles about this and there is no mention
of the delivery process, other than "generically injected into the kernel."
There will be a demonstration in Singapore on 18 July, and then another at
Black Hat, so perhaps in a week or so I'll revisit this.
 
Simple theory: if you can create something for good, evil is short to
follow.

At first when I saw the article I thought the author was a zealous Intel
only out to bash AMD. However reading the article only made me wonder if
"all" virtual machines technology can be implemented in a devious way,
not just AMD's. I do know that Intel's VT is different as well as other
processors manufactures.

Also, we were discussing this at my shop well before the article ever
broke and just kicking ideas around how VMT could help virus/malware
scanners. Provided that the entire computer is separated by VMTs, the
concept we came up with is to "freeze" a virtual machine, scan it
completely from an outside source (ie another VMT). After which, the VMT
is cleaned and resumed like nothing happened.

-Luke
 
This is a great second step. However, the question I have, is how would you
detect this on a computer in the first place to know whether or not this has
happened?
 
Like I said it was just a theory we kicked around at the shop a while
back. But if you want to try to implement it, I would first start with
some type of VMT monitor, like I use under Linux.

If they can completely hide such VMT like the article suggested, then
the VMT should be pulling some resources to be allocated by the
computer. Which in that case the scanner should implement a complete
system "freeze" with the exception of the VMT that is scanning the
others. Each resource at this point can be traced back to the
originating VMT and what program running on top of the VMT. Thus
flushing out the "hidden" VMT and it's virus/malware also hidden inside.

We can only pray that virus/malware writers may not be smart enough to
implement such a feat for their advantage.

-Luke
 
The author proposes that the code emulates the proper scan results or uses
no resources. She really is not revealing much, even in her own blog or on
the company site.

The only theoretical prevention I have read is preemptively running a
hypervisor since there can be only one.

I almost want to go to Black Hat and see this for myself.
 
Luke Fitzwater wrote On 7/9/2006 7:14 PM:
We can only pray that virus/malware writers may not be smart enough to
implement such a feat for their advantage.
Click to expand...
Once it gets packaged up real nice and easy and released to the script
kiddies, all is lost.

Computers will now need ignition switches and keys, like autos, to
prevent virtual machine trojans.
 
I still can't see how it can run with out using any resources, it may
use very little, but none at all would not be running at all.

If it does emulate a complete system inside a system, there should still
be tell tail signs of another system around it. If it is that good of an
emulation that it is fooling the interior system, counter measures
should be in place by the time any real threats of said virus/malware
have arrived.

Let us know how Black Hat goes, I'm RSS feeding from their site now,
just couldn't jump a plane to be there.

-Luke
 
I was thinking of more along the lines of a personal bluetooth
identification device or a smart card swipe. Both computer and device
shake hands and share an encrypted file to authenticate user.

With out this "key" the computer will ignore all system level changes.
When the "key" is present, the computer will check with the computer
operator. Very similar to the way Vista does the "zero zone".

Security is always a preemptive task. The longer you wait, the bigger
the mess you have to clean up.

-Luke
 
Actually, we will be. Our new time and format starts on August 12th, and
I'm *TRYING* to get the podcasting set up for then. If nothing else, we'll
at least have archive shows via mp3 or some such.

My only problem now is getting the new website design up and running, which
I've been trying to do for the last 2 months and have been too busy. (I
blame this on MS for releasing B2 during the time when I was supposed to be
redesigning the site.)

--
Takali S. Omega Sr
Host of TechTAK on KFAR 660am
--------------------------------------------------------
No matter how fast light travels it finds
the darkness has always got there first,
and is waiting for it.

| Do you podcast these shows?
 
Please add me to your mailing list at (e-mail address removed). Yes, my name
is misspelled, but the addy is right.
 
Back
Top