The Purple Pill?

This story highlights one of the problems in Internet security.

Joanna Rutkowska has been talking about "hypervisor rootkits", a way of creating undetectable malware on a machine. It's pretty cool stuff, regardless how you look at it. However, she describes it as being "100% undetectable", which of course, challenges other researchers to prove that it is indeed detectable. They have challenged her to infect one of their systems at random, and that they can detect it.

However, Joanna has already admitted that her Blue Pill can be detected in a laboratory setting. What she is claiming is that vendors won't be able to ship a product that will detect it in practice.

What this is highlighting is how much that happens in our industry is done in "bad faith". One of those challenging Joanna is Nate Lawson. If you'll remember earlier this year, Lawson attacked Barnaby Jack claiming that he unjustly hyped a presentation for CanSecWest. As it turns out, Barnaby's presentation was about something new and interesting, and the press article talking about it was 100% non-hype. Banarby delivered, as promised, a "new class of attacks target[ing] embedded devices". Lawson was wrong.

In much the same fashion, Lawson is ignoring Joanna's comments that her stuff can be detected in a laboratory, and challenged her with a laboratory setting. They created rules that do not address what Joanna has already claimed. They bet her that if she installs a hypervisor rootkit on one of their machines that they can detect it in the laboratory.

What would a good-faith bet be? They should publish a hypervisor detection tool on their website, then challenge Joanna to create a hypervisor that evades it. They should challenge the rest of us to install it on our machines to prove that it is robust and doesn't cause problems (like slowing our machines down). Better yet, they should provide source for their tool with BSD licensing so that anti-virus vendors can include it with their offerings.

All of this is largely theoretical. I don't see botnets using Blue Pill technology yet (although that's because it's so easy to evade detection they don't need more advanced techniques). I likewise don't see vendors providing defense for this. The entire debate is like betting whether Batman could beat Spiderman in a fight. The only relevancy that this debate has is to the spooks at the NSA worried about Chinese hackers installing rootkits in the DoD. And for the NSA, Joanna has an easy answer: don't worry about detection, just worry about defense and install a hypervisor on all your machines that prevents another hypervisor from being loaded.