Rutkowska has rebuilt Blue Pill from the ground up since she unveiled it one year ago. One new aspect of the Blue Pill update is the ability to nest simulated environments. This addresses one obvious detection technique: To ferret out a virtualized rootkit, create a simulated environment that the rootkit then has to simulate—a simulation within a simulation, in other words. The problem with creating nesting simulations is that they crash the system.

"If I have been Blue Pilled, I would try to create a simulated environment myself, not knowing I'm already in a simulated environment," Allan said. "It wouldn't work, and you'd crash, and that tells you you've been Blue Pilled."

To get around that, Rutkowska has boosted Blue Pill's scalability with regards to nesting simulations and has at this point jacked its capability up to 20 nested simulations.

Blue Pill's tough to beat. It's tough to detect. And one problem with the requirements for detecting a virtualized rootkit, Allan said, is you need a detection strategy that's very sophisticated and very environment-specific. Unfortunately, processors aren't static. They implement things differently and change over time. When that inevitably happens, out goes your environmentally specific virtualized rootkit detection.

This is all futuristic at this point. Blue Pill is an attack that's ahead of its time. No real-world attacks have been detected. However, once Vista is more widely adopted, Blue Pill will have its day in the sun. Already, Allan said he's seen the rootkit technology being discussed on underground malware authors' sites.

So yes, Blue Pill is almost certainly on the horizon. And it's not something that will be easy to ignore even if you think you never use virtualization, either. Last year, Allan said, he left Rutkowska's Blue Pill demonstration feeling pretty comfortable. "Watchfire works in [cross-site scripting]," he said. "I used to say, 'Turn off JavaScript—don't enable it in the browser.' Last year my response was, 'This is easy, just block the ability to do virtualization.'"

That's changing, though, Allan said, with virtualization headed toward ubiquity. "I think we'll see virtualization required in the future; used all the time. It's [already] used in legitimate software, as a feature to do something or other. It's used more and more in hardware and in different components."

There are lots of benefits to that, Allan said. Virtualization allows you to run processes in a controlled, sandboxed environment—something you might do as a security feature.

Still, Blue Pill is an esoteric bon-bon; it's an extremely sophisticated attack vector.

But will it become attractive in the future? Yes, given its benefits. It's similar to buffer overflows in the network world, Allan said. Overflows are difficult to find, but the outcome is very powerful. Similarly, Blue Pill is sophisticated and tough to use, but the outcome of its use is attractive, given that it allows compromise of a machine without the user's knowledge.

Should Rutkowska ever have cracked open this Pandora's box, given that there's nothing to be done to protect systems from Blue Pill at this point?

Yes. As Allan said, if the researchers don't release the details, and if they don't get together and talk about them in venues like Black Hat, those with malice in mind will find them first.

Indeed, Blue Pill is a good example of very good disclosure, Allan said. Rutkowska has delivered the details of an entirely futuristic rootkit, arguably far ahead of the time when it will be relevant—particularly when Vista sees widespread adoption and exploitation makes fiscal sense. The far-sighted disclosure she pursues allows researchers to build defenses before seeing exploits in the wild.

Editor's Note: This story was updated to clarify the nature of the virtualization detection methodologies tested by Rutkowska as opposed to described by Ptacek/Lawson/Ferrie, and to correct the omission of Peter Ferrie from the group of researchers challenging the notion of 100% undetectable virtualized rootkits.

This article was originally published on eWeek.com.

Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.