{QUOTE-> Rootkit specialist Joanna Rutkowska has provided open access to the source code...which has been rewritten from scratch. <-QUOTE}
heise Security (http://www.heise-security.co.uk/news/93761/from/atom10)

{QUOTE-> The original Blue Pill proof of concept code has been written by Joanna Rutkowska, while working for COSEINC, and presented at the Black Hat Briefings 2006 in Las Vegas on August 3rd. Joanna Rutkowska then formed a small team of researchers inside COSEINC, Advanced Malware Labs, which was supposed to focus on further research into virtualization based malware. However after just a few months the priorities of work have been shifted, resulting in Blue Pill research activities being ceased.

In April 2007 Joanna Rutkowska decided to quit COSEINC and start her own security consulting firm, Invisible Things Lab. In May 2007 Alexander Tereshkin, a former member of COSEINC AML, joined ITL as a principal researcher. Joanna Rutkowska and Alexander Tereshkin decided to redesign and write from scratch the New Blue Pill rootkit, so that it would be possible to use it for further research and for educational purposes. Most of the New Blue Pill’s code was developed by Alexander Tereshkin.

The New Blue Pill is significantly different from the original Blue Pill, not only because of the various features that it implements, but also because of the different architecture it was based on (HVM-like approach, similar to that used by XEN 3). - bluepillproject.org (http://www.bluepillproject.org/) <-QUOTE}

oh my oh my... time to panic guys...

Nothing can detect this, not even rootkit unhooker...

Hello,

Relax... You need to have a certain brand of mobo for this thing to work if at all.
Second, someone's gonna get famous for this little new Y2K style panic, and that ain't you or me.

Chill, enjoy, don't get too excited.

For every threat there's a counter-threat. I believe it won't be more than a month before someone pulls something that can detect this - and thus become famous himself/herself.

Mrk

{QUOTE-> oh my oh my... time to panic guys...

Nothing can detect this, not even rootkit unhooker... <-QUOTE}

No need to panic: we can trivially detect NBP on any mainstream operating system. (http://www.matasano.com/log/924/joannas-response-to-our-talk/)

Everything you want to read about the challange can be found on Joanna's web blog, with answers and questions from both sides.
Joanna is looking to receive 200 dollars per hour for two people to take this challange. I wonder who pays her - him for the time preparing for Black Hat?

http://theinvisiblethings.blogspot.com/2007/06/were-ready-for-ptaceks-challenge.html



controler

This is not about the challenge, but about matasano's response to the source code.

Edit:
I also disagree, that everything can be found on Joanna's blog ;)

There's just too much noise for bp to be undetectable, whether this is a detection of blue pill is another thing.

{QUOTE->
oh my oh my... time to panic guys...

Nothing can detect this, not even rootkit unhooker... <-QUOTE}

loooool, guys we need the counterforce, the supa-dupa pill-eater,
let us shut-up this pilly paranoia forever *loooool*

So would any hips software, like ProSecurity or EQsecure, prevent the install of a virtual rootkit? It should in most cases, right? But how about after it's installed? Is there any chance of a hips picking up on it then?

{QUOTE-> So would any hips software, like ProSecurity or EQsecure, prevent the install of a virtual rootkit? It should in most cases, right? But how about after it's installed? Is there any chance of a hips picking up on it then? <-QUOTE}

I assume they corrupt virtual/memory in this way they maybe/likely bypass anything. That means the <unknown> is in everything.

Hello,
Yes, they will. Even the worst infection begins with simple exe.
Mrk

{QUOTE-> Hello,
Yes, they will. Even the worst infection begins with simple exe. <-QUOTE}

Are you sure? Remember the bodiless virus.. see dr.web,
they only can detect this network ghost and it has neither exe nor anything
that looks like a file.

Hello,
It all begins with execution.
Period.
Mrk

This bodiless SQL-worm isn´t executed it spreads itself through internet/network without any files.

{QUOTE-> The SQL slammer worm is a computer worm that caused a denial of service on some Internet hosts and dramatically slowed down general Internet traffic, starting at 05:30 UTC on January 25, 2003. It spread rapidly, infecting most of its 75,000 victims within ten minutes. W3 Media's Senior Web Developer and Technical Manager Ben Koshy has been credited with being the first person to identify the so-called 'Slammer' virus. Although titled "SQL slammer worm", the program did not use the SQL language; it exploited a buffer overflow bug in Microsoft's flagship SQL Server and Desktop Engine database products, for which a patch had been released six months earlier in MS02-039. Other names include W32.SQLExp.Worm, <-QUOTE}

{QUOTE-> Technical details

The worm is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution Service, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.
The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, <-QUOTE}

{QUOTE-> Home PCs are generally not vulnerable to this worm unless they have MSDE installed. <-QUOTE} False, I used usual Home Pc and Dr.Web and Black Ice IDS found SQL-Slammer years ago on my system and I did not install any special Server.

Hello,

Can you see the contradiction?

The worm is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution Service, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.
The worm is so small that it does not contain code to write itself to disk, so it only stays in memory...

Hmm, hmm ... holy spirit ... poltergeist ah?

Infection begins with an executable WHATEVER being run somewhere. Whether ir runs in memory or in the printer or microwave over is not important.

Mrk