Researchers: 'Blue Pill' Rootkit Detectable

Joanna Rutkowska, the security researcher who one year ago built a working prototype, code-named Blue Pill, of a rootkit capable of creating malware that remains "100 percent undetectable," has tacitly conceded to a group of security researchers that the detector code they cooked up in the past month will in fact ferret out Blue Pill—at this point in its development, at any rate. Tom Ptacek, security researcher and founder of New York-based Matasano Security, posted a note on June 27 saying that he, along with his fellow security researchers who had worked on hypervisor rootkit detection, were inviting Rutkowska to a challenge at Black Hat Briefings in Las Vegas sometime on Aug. 1 or 2.

"Joanna, we respectfully request terms under which you'd agree to an 'undetectable rootkit detection challenge.' We'll concede almost anything reasonable; we want the same access to the (possibly-)infected machine that any anti-virus software would get," Ptacek wrote. Rutkowska posted a message saying she was ready for the challenge. But she stipulated that the challenging researchers—Ptacek, Nate Lawson of Root Labs, Symantec researcher Peter Ferrie and Matasano's Dino Dai Zovi—fund two people, full-time for six months at $200 per hour, to develop the rootkit to a state of readiness.

View: The full story
News source: eWeek

Report a problem with article
Previous Story

Intel To Kill Server Blade Line

Next Story

Asustek to offer BD Combo model in 3Q07

7 Comments

Commenting is disabled on this article.

Rootkit works in the next basis:

a.- the "malware" must be allowed to create the rootkit (of course)
b.- Default applications cannot see it.
c.- System must be able to see it (if the OS cannot read it then this rootkit cannot be execute).
d.- And since the system can read it, a custom application also can read it (and modify it).

a 100% undetectable can be a rootkit that don't meet c.- and d.- may be a truly "hidden ninja" rootkit but useless
Or a may be a rootkit that cannot be visible by a custom application but there always a chance to a new application will be able to detect it.

Please don't do this. Funding a Rootkit development is a bad idea. Sooner or later the code will be presented at some research conference or used by rogue employees and spread.

"...fund two people, full-time for six months at $200 per hour, to develop the rootkit to a state of readiness."

They must expect to make a fortune from this, will Sony or RIAA purchase the technology?

fund two people, full-time for six months at $200 per hour, to develop the rootkit to a state of readiness.

I want one hundred billion dollars!

Um, assuming it's an eight-hour day at $200 an hour, that's only $576,000 for two people for six months (at 30 days per month... we'll assume that they work weekends and holidays.)