Tuesday, November 20, 2007

Blue Pill - Malware Virtualization

Blue Pill is a prototype malware that uses the virtualization capabilities of AMD processors (AMD-V extensions, previously know as Pacifica) to inject a rootkit in a running Vista operating system to create a lite hypervisor that takes complete control of the underlying operating system.

According to Joanna Rutkowska, a stealth malware researcher at Singapore-based IT security firm COSEINC, the author, by using Pacifica, Blue Pill would be able to trap a running instance of the operating system into a virtual machine, and would then act as a hypervisor, with complete control of the computer. Joanna Rutkowska claims that, since any detection program could be fooled by the hypervisor, such a system would be "100% undetectable". While this statement was proven false, it's still a fun toy to play with, especially since the source code is available.