LAS VEGAS—When it comes to rootkits, nothing's undetectable, and much less so a virtualized rootkit. Or is it?

At Black Hat here Aug. 1, a group of researchers including Symantec's Peter Ferrie, Nate Lawson and Matasano's Thomas Ptacek launched what they hoped would be a full-body tackle of Joanna Rutkowska's "100% Undetectable" Blue Pill virtualized rootkit, which Rutkowska launched a year ago at the conference.

In their presentation, titled "Don't Tell Joanna, The Virtualized Rootkit Is Dead," the researchers detailed how to use counters that are external to a system to detect a virtualized rootkit's pull on CPU resources or other telltale footprints. It's got to be an external counter, given that a virtualized rootkit sits at the hypervisor level between the hardware and operating system and controls direct measurements—i.e., those internal to a system.

The only problem is, by day's end, Rutkowska revealed that the methods simply don't work as advertised. Rutkowska has tested, if not the exact code for her challengers' detection technologies (due to be released any time now), then at least "the exact methods [as] *presented and *described* by my challengers," she said in an e-mail exchange with eWEEK. The methods as described by her challengers include, for example, a method called TLB profiling. And, given that the Ptacek/Lawson/Ferrie team didn't mention anything about the problem with the methods she went on to describe in her talk, she's "pretty sure they didn't know about them," she said.

"One needs to use special effort (which means additional complexity) to make sure to, e.g., fill the whole TLB L2 buffer," Rutkowska said in her blog, describing just one shortcoming she found (and fixed, incidentally) in the virtualization detection methods.

Even more to the point, Rutkowska said, her challengers' ability to detect virtualization is an entirely separate thing from detecting malware that uses virtualization, as does Blue Pill.

"As hardware virtualization technology gets more and more widespread, many machines will be running with virtualization mode enabled, no matter whether Blue Pilled or not," she said. "In that case … it's actually expected that virtualization is being used for some legitimate purposes. In that case using a 'Blue Pill detector,' that in fact is just a generic virtualization detector, is completely pointless."

In her presentation, "IsGameOver(), anyone?" Rutkowska refuted Matasano's, Symantec's ability to detect Blue Pill and described ways to run away when somebody's trying to track the rootkit using timing determination.

First, Rutkowska outlined the Blue Chicken defense. This technique involves running away when timing determination occurs. Because the hypervisor sits in the middle, emulating a system, it has the ability to determine if somebody's trying to do a timing attack on the rootkit. In that case, she removes the hypervisor.

Of course, she said, even though she can determine when a timing attack against the rootkit is happening, it's not always possible to tell when the timing attack has stopped. But she can always wait it out. After all, timing attacks have one fatal flaw: They suck up CPU like mad—up to 50 percent of CPU time. That means that while you can sometimes run detection, you sure can't run it all the time. It's just too processor-intensive.

In her rebuttal, Rutkowska also detailed her work to implement the Blue Pill detection systems outlined by Matasano.

Danny Allan, director of security research at Web application security company Watchfire, in Waltham, Mass., said in an interview with eWEEK after Rutkowska's talk that she had made it clear that the people who claimed to have discovered Blue Pill hadn't actually tested their own methods. She tried them. They didn't work.

How does a system get Blue Pilled? As Rutkowska told eWEEK last year, the idea is simple: "Your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly [i.e., without restarting the system] and there is no performance penalty." Blue Pill doesn't rely on any bug pertaining to the underlying operating system. The original working prototype was implemented for Vista x64, but she saw "no reasons why it should not be possible to port it to other operating systems, like Linux or BSD, which can be run on x64 platform."

Click here to read more about researchers' claims that the Blue Pill is detectable.

Now, a year later, Rutkowska described how Blue Pill can get onto systems via either vulnerable drivers—and there is no shortage of those—or maliciously crafted drivers.

In fact, she tested her assumption that it would be easy to register a malicious driver. It took her 2 hours and $250. If she were a black hat up to no good, she said, she'd post the compromised driver on her site. It wouldn't have to be a popular download, she said—as long as it's digitally signed, once the code lands on a machine, Vista will automatically install it.

Next Page: Rebuilding Blue Pill.