Blue Pill virtualisation rootkit freely available

Discussion in 'other security issues & news' started by Meriadoc, Aug 3, 2007.

Thread Status:
Not open for further replies.
  1. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    heise Security

     
  2. LUSHER

    LUSHER Registered Member

    Joined:
    Feb 28, 2007
    Posts:
    440
    oh my oh my... time to panic guys...

    Nothing can detect this, not even rootkit unhooker...
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,

    Relax... You need to have a certain brand of mobo for this thing to work if at all.
    Second, someone's gonna get famous for this little new Y2K style panic, and that ain't you or me.

    Chill, enjoy, don't get too excited.

    For every threat there's a counter-threat. I believe it won't be more than a month before someone pulls something that can detect this - and thus become famous himself/herself.

    Mrk
     
  4. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
  5. controler

    controler Guest

  6. diginsight

    diginsight Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    225
    Location:
    Netherlands
    This is not about the challenge, but about matasano's response to the source code.

    Edit:
    I also disagree, that everything can be found on Joanna's blog ;)
     
  7. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    There's just too much noise for bp to be undetectable, whether this is a detection of blue pill is another thing.
     
  8. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    loooool, guys we need the counterforce, the supa-dupa pill-eater,
    let us shut-up this pilly paranoia forever *loooool*
     
  9. Blue Ring

    Blue Ring Registered Member

    Joined:
    Apr 13, 2007
    Posts:
    100
    So would any hips software, like ProSecurity or EQsecure, prevent the install of a virtual rootkit? It should in most cases, right? But how about after it's installed? Is there any chance of a hips picking up on it then?
     
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I assume they corrupt virtual/memory in this way they maybe/likely bypass anything. That means the <unknown> is in everything.
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    Yes, they will. Even the worst infection begins with simple exe.
    Mrk
     
  12. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Are you sure? Remember the bodiless virus.. see dr.web,
    they only can detect this network ghost and it has neither exe nor anything
    that looks like a file.
     
  13. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,
    It all begins with execution.
    Period.
    Mrk
     
  14. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    This bodiless SQL-worm isn´t executed it spreads itself through internet/network without any files.

    False, I used usual Home Pc and Dr.Web and Black Ice IDS found SQL-Slammer years ago on my system and I did not install any special Server.
     
  15. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hello,

    Can you see the contradiction?

    The worm is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution Service, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program.
    The worm is so small that it does not contain code to write itself to disk, so it only stays in memory...

    Hmm, hmm ... holy spirit ... poltergeist ah?

    Infection begins with an executable WHATEVER being run somewhere. Whether ir runs in memory or in the printer or microwave over is not important.

    Mrk
     
Loading...
Thread Status:
Not open for further replies.