Blue pill
Results 1 to 7 of 7

Thread: Blue pill

  1. #1
    Senior Member DakX's Avatar
    Join Date
    Jul 2005
    Posts
    128

    Exclamation Blue pill

    Note: this is not about the matrix or anything related to that.

    Second note: I didn't know where to place this, because its a malware this section seemed best to me.


    'Blue Pill' Prototype Creates 100% Undetectable Malware'
    I read this on eweek [1] and another (dutch) rss feed. I went in search of the website [2] . After clicking trough to the blog [3] site my fear was lessend, thank god.
    It turns out that its still in prototype status and is still not 100% undetactable.
    About the eweek article, by the creator of "the blue pill" :It suggests that I already implemented "a prototype of Blue Pill which creates 100% undetectable malware", which is not true.
    The blog further explains things about how the program works, although I have to admit that I haven't read it all. Much of the things explained there are above my limmeted knowledge of the computer.

    -DakX-

    P.s. I do not mean to scare anyone as I'm certain that someone will already have read it. I just thought I'd post about it to inform those who didn't. I hope I didn't cause a fuss or anything like that, that is not my intention.


    [1] http://www.eweek.com/article2/0,1895,1983037,00.asp
    [2] http://invisiblethings.org/
    [3] http://theinvisiblethings.blogspot.com
    [T]he future is now.

  2. #2
    Hmm this reminds me of a program that was like a Spyware/Malware build it yourself kit that was floating around recently.

    A few clicks of the mouse and you had some nice spyware/malware to spread around, it was indeed a really nice skiddy tool.

    But off course majority of the Av company's quickly added it to there definition files so it was only effective for a few days..

    and by the time i was able to translate the german instructions it was already considered outdated..

    f2B

  3. #3
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    This is rather interesting, as it seems to be using the VM concept/technology?

    I guess that it is way beyond your average skiddie; a bit like the NTFS alternate data stream concept?

    Could this be the new DRM?
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Originally posted here by nihil
    This is rather interesting, as it seems to be using the VM concept/technology?

    I guess that it is way beyond your average skiddie; a bit like the NTFS alternate data stream concept?

    Could this be the new DRM?
    We spotted this last week and after analysis have rated it NCT (No Current Threat) and added it to our threat map (because it will become a threat). Indeed it uses VM technology (AMDs SVM/Pacifica virtualization to exact) playing off the first VM tool called "Red Pill" which would tell you if you were within a VM instance. Red Pill *is* named after the Matrix films and even tells you that you're "in the Matrix" when it detects a VM instance.

    If anyone is attending black hats in Las Vegas, this will be one of the topics or so it's rumored.

    --Th13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    I'm not worried about this YET but will be once we soon deploy some of this hardware in our web hosting environments. I'll sure be watching this research closely especially what vectors are used during exploitation.

    Unfortunately I wont be at the BlackHat briefings this year...hey th13 if you go let us know about this talk.

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    I will be out there during black hat but I will be doing something a little different.

    I'm sure the papers will get released as usual.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi

    Some of you may have noticed that currently, there is a constructive - er - competition
    in progress - Joanna still claims the undetectability of her HVM rootkit[1,2],
    while others argue that they can detect it[3,4].


    The reason I am writing this post is another, however. A month ago, quite
    a nice paper[5] has been published, which gives a review of the HVM situation
    and explains in some detailed level the development of such a rootkit.
    If you want to go further into coding, have a look at the bluebillproject[6],
    which offers some source code.


    Cheers



    [1] http://theinvisiblethings.blogspot.c...challenge.html
    [2] http://theinvisiblethings.blogspot.c...1_archive.html (second entry)
    [3] http://www.matasano.com/log/895/joan...t-us-prove-it/
    [4] http://rdist.root.org/2007/06/28/und...kit-challenge/
    [5] http://www.crucialsecurity.com/docum...vmrootkits.pdf
    [6] http://bluepillproject.org/
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •