Archive for June, 2006

Blue Pill A Threat To Vista

Thursday, June 29th, 2006

Joanna Rutkowska, a researcher at Singapore-based IT security firm COSEINC has developed proof of concept malware that is 100% undetectable on the machine it has infected. Joanna in her blog on Invisiblething.org says that she developed the malware that will work with AMD’s SVM/Pacifica virtualization technology and she has called it Blue Pill. Joanna had previously work on code called Red Pill which can detect whether code is running under a Virtual Machine Monitor.
The virtual machine also called a Hypervisor can take control of an entire Operating System.
Joanna said, “The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices”.
Joanna plans to demonstrate her proof of concept code at the Black Hat gathering in August. She will show how she can insert malware into a Vista installation that is totally undetectable. The user will not even see any sign that such a big development has occured on their computer.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in News, VM Rootkits, New Rootkits | No Comments »

Legitimate Applications soften Vista rootkit security

Friday, June 9th, 2006

Windows Vista will be the next generation of Windows Operating Systems. It is due out sometime early 2007. It was thought that Microsoft would make Vista extremely secure but Austin Wilson , Director of Product Management for Vista Security, said that the two most important aspects of rootkit elimination have been left out of the 32 Bit version of Vista. The 32 Bit version of Vista is aimed at more of the normal user market, Home Users and Business Users while the 64 Bit version will be more for the server market because of the extra costs involved.

The two important security additions left out are called Kernel Patch Protection and Driver Signing. Kernel Patch Protection stops application from modifying the Vista Kernel. This technique is used by many legitimate applications like anti virus and other security software. Because there are many applications out there that patch the kernel Microsoft hope in the future to add Kernel Patch Protection to the 32 Bit version of Vista. Microsoft said that they would be working with software manufacturers to overcome their need to patch the kernel in Vista and then they would be able to implement the Kernel Patch Protection on the 32Bit Version of Vista.

This means that for the foreseeable future users will still have problems with Vista and rootkits. The one area that Vista uses in combatting rootkits is the User Account Control which only allows users to run as non-administrators and thus not allowing applications to be installed because of lack of permissions. It will be interesting to see how quick attackers come out with new rootkits specifically designed to overcome any of these new enhancements that Vista will have.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in News, Vista, Debate | 3 Comments »