Blue Pill virtualisation rootkit freely available

heise Security

 

oh my oh my... time to panic guys...

Nothing can detect this, not even rootkit unhooker...

 

Hello,

Relax... You need to have a certain brand of mobo for this thing to work if at all.
Second, someone's gonna get famous for this little new Y2K style panic, and that ain't you or me.

Chill, enjoy, don't get too excited.

For every threat there's a counter-threat. I believe it won't be more than a month before someone pulls something that can detect this - and thus become famous himself/herself.

Mrk

 

No need to panic: we can trivially detect NBP on any mainstream operating system.

 

Everything you want to read about the challange can be found on Joanna's web blog, with answers and questions from both sides.
Joanna is looking to receive 200 dollars per hour for two people to take this challange. I wonder who pays her - him for the time preparing for Black Hat?

http://theinvisiblethings.blogspot.com/2007/06/were-ready-for-ptaceks-challenge.html



controler

 

This is not about the challenge, but about matasano's response to the source code.

Edit:
I also disagree, that everything can be found on Joanna's blog

 

There's just too much noise for bp to be undetectable, whether this is a detection of blue pill is another thing.

 

loooool, guys we need the counterforce, the supa-dupa pill-eater,
let us shut-up this pilly paranoia forever *loooool*

 

So would any hips software, like ProSecurity or EQsecure, prevent the install of a virtual rootkit? It should in most cases, right? But how about after it's installed? Is there any chance of a hips picking up on it then?

 

I assume they corrupt virtual/memory in this way they maybe/likely bypass anything. That means the <unknown> is in everything.

 

Hello,
Yes, they will. Even the worst infection begins with simple exe.
Mrk

 

Are you sure? Remember the bodiless virus.. see dr.web,
they only can detect this network ghost and it has neither exe nor anything
that looks like a file.

 

Hello,
It all begins with execution.
Period.
Mrk

 

This bodiless SQL-worm isn´t executed it spreads itself through internet/network without any files.

False, I used usual Home Pc and Dr.Web and Black Ice IDS found SQL-Slammer years ago on my system and I did not install any special Server.

 

Hello,

Can you see the contradiction?

The worm is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution Service, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.
The worm is so small that it does not contain code to write itself to disk, so it only stays in memory...

Hmm, hmm ... holy spirit ... poltergeist ah?

Infection begins with an executable WHATEVER being run somewhere. Whether ir runs in memory or in the printer or microwave over is not important.

Mrk