Blue Pill: Hard To Detect
A researcher developed the "Blue Pill" program whose purpose is to help develop malware that would remain undetected when run on computers with Microsoft Corp's "Windows Vista" operating system. The researcher is now working on an even more feline version that is likely to finish during the next few months.
The Polish researcher Joanna Rutkowska developed and demonstrated Blue Pill using the second 'beta' release of Vista for the first time. Rutkowska expressed surprise when she found that the latest pre-production release of Vista, RC1, does not include defense components against Blue Pill.
Blue Pill functions by exploiting hardware virtualization technology in 'processors' from "Advanced Micro Devices Inc." and "Intel Corp". Virtualization enables PCs to run multiple operating systems and applications at the same time in separate partitions. Rutkowska says that the virtualization technology would greatly help in developing malware that would not allow even slightest detection.
Blue Pill loaded on a PC can intercept every operation made on the system. When the Blue Pill was demonstrated earlier this year, it almost achieved its objective. But the total time period that a computer takes to complete a given operation can help to at least theoretically detect if Blue Pill is running on the computer or not. Rutkowska is developing a new version of Blue Pill that will escape detection by this method.
With such malware in the picture, Microsoft is trying to improve the overall security of its products. According to Schneier, if the company thinks that its progress in this area is enough, then it could rest at ease. But if it is not, then more need to be done. Microsoft will fix the problem within the limits of its economic losses.
An appropriate defense against Blue Pill is to disable the 'paging' of 'kernel memory' in Vista. This implies 'kernel code' and drivers must be loaded 80 MB of total data into the main memory. With this, Blue Pill will not be able to access the kernel to execute the code.
While Microsoft continues to find improvements on security of Vista, it cannot assure about the changes made to avert Blue Pill attacks in the Vista's production version.
Related article: Ball State University Students Receive Spam Mails
» SPAMfighter News - 28-09-2006