-
July 3rd, 2006, 09:47 PM
#1
Blue pill
Note: this is not about the matrix or anything related to that.
Second note: I didn't know where to place this, because its a malware this section seemed best to me.
'Blue Pill' Prototype Creates 100% Undetectable Malware'
I read this on eweek [1] and another (dutch) rss feed. I went in search of the website [2] . After clicking trough to the blog [3] site my fear was lessend, thank god.
It turns out that its still in prototype status and is still not 100% undetactable.
About the eweek article, by the creator of "the blue pill" :It suggests that I already implemented "a prototype of Blue Pill which creates 100% undetectable malware", which is not true.
The blog further explains things about how the program works, although I have to admit that I haven't read it all. Much of the things explained there are above my limmeted knowledge of the computer.
-DakX-
P.s. I do not mean to scare anyone as I'm certain that someone will already have read it. I just thought I'd post about it to inform those who didn't. I hope I didn't cause a fuss or anything like that, that is not my intention.
[1] http://www.eweek.com/article2/0,1895,1983037,00.asp
[2] http://invisiblethings.org/
[3] http://theinvisiblethings.blogspot.com
-
July 4th, 2006, 07:19 AM
#2
Hmm this reminds me of a program that was like a Spyware/Malware build it yourself kit that was floating around recently.
A few clicks of the mouse and you had some nice spyware/malware to spread around, it was indeed a really nice skiddy tool.
But off course majority of the Av company's quickly added it to there definition files so it was only effective for a few days..
and by the time i was able to translate the german instructions it was already considered outdated..
f2B
-
July 4th, 2006, 09:32 AM
#3
This is rather interesting, as it seems to be using the VM concept/technology?
I guess that it is way beyond your average skiddie; a bit like the NTFS alternate data stream concept?
Could this be the new DRM?
-
July 4th, 2006, 11:28 AM
#4
Originally posted here by nihil
This is rather interesting, as it seems to be using the VM concept/technology?
I guess that it is way beyond your average skiddie; a bit like the NTFS alternate data stream concept?
Could this be the new DRM?
We spotted this last week and after analysis have rated it NCT (No Current Threat) and added it to our threat map (because it will become a threat). Indeed it uses VM technology (AMDs SVM/Pacifica virtualization to exact) playing off the first VM tool called "Red Pill" which would tell you if you were within a VM instance. Red Pill *is* named after the Matrix films and even tells you that you're "in the Matrix" when it detects a VM instance.
If anyone is attending black hats in Las Vegas, this will be one of the topics or so it's rumored.
--Th13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
July 4th, 2006, 10:08 PM
#5
I'm not worried about this YET but will be once we soon deploy some of this hardware in our web hosting environments. I'll sure be watching this research closely especially what vectors are used during exploitation.
Unfortunately I wont be at the BlackHat briefings this year...hey th13 if you go let us know about this talk.
-
July 5th, 2006, 11:28 AM
#6
I will be out there during black hat but I will be doing something a little different.
I'm sure the papers will get released as usual.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
September 6th, 2007, 05:24 PM
#7
Hi
Some of you may have noticed that currently, there is a constructive - er - competition
in progress - Joanna still claims the undetectability of her HVM rootkit[1,2],
while others argue that they can detect it[3,4].
The reason I am writing this post is another, however. A month ago, quite
a nice paper[5] has been published, which gives a review of the HVM situation
and explains in some detailed level the development of such a rootkit.
If you want to go further into coding, have a look at the bluebillproject[6],
which offers some source code.
Cheers
[1] http://theinvisiblethings.blogspot.c...challenge.html
[2] http://theinvisiblethings.blogspot.c...1_archive.html (second entry)
[3] http://www.matasano.com/log/895/joan...t-us-prove-it/
[4] http://rdist.root.org/2007/06/28/und...kit-challenge/
[5] http://www.crucialsecurity.com/docum...vmrootkits.pdf
[6] http://bluepillproject.org/
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|