Earlier this year, stealth malware researcher Joanna Rutkowska created a stir at the Black Hat Briefings when she demonstrated a way to infect Windows Vista with a rootkit and introduced Blue Pill, a new concept that uses AMD’s SVM/Pacifica virtualization technology to create ‘100 percent undetectable malware’. In this interview with eWEEK senior editor Ryan Naraine, Rutkowska talks about her interest in computer security, the reality of stealth malware threats, the risks associated with hardware virtualization and why the anti-virus industry comes up short.
Rutkowska: “Anti-Virus Software Is Ineffective”
About The Author
Follow me on Twitter @thomholwerda
2006-11-03 1:20 amDittoBox
Or as I’ve seen on some of the new slashdot articles that have been tagged “noshit.”
Tweek, you’re responding to the headline, which does not reflect the article content: while she does say that anti-virus software is ineffective, it mainly discusses attacks based on moving the running OS into a virtual machine, and installing the malware as the hypervisor, which is a really neat trick.
2006-11-02 8:29 pmsbenitezb
So the headline is wrong. Headlines are used to reflect the primary content of the article. If you use it only to attract readers, then you are being (put the word that best suits the attitude).
Edited 2006-11-02 20:30
2006-11-02 8:36 pmThom Holwerda
With interviews, the headline often reflects the most interesting bit what the person in question has said. Hence, the headline is perfectly fine.
Basic journalism, really.
Edited 2006-11-02 20:37
2006-11-02 8:38 pmandrewg
But practically impossible and definitely always discoverable according to the Xen hacker. Seems that AMD has designed its virtualisation to make discovery of this sort of thing easy.
He states, “I wouldn’t lose a bit of sleep over this particular threat. I don’t feel there is any new risk here at all.”
Also it is interesting that the technology built into AMD virtualisation technology allows for “attestation” which could make anti-virus software a thing of the past. The idea is that you can detect at any point in time whether software is running that should not be running.
He states, “Currently, anti-malware software has to look specifically for known threats. Attestation lets you do something much stronger. Attestation allows you to validate that there is no unknown threats.
Imagine anti-virus software that doesn’t need to be updated–ever. With attestation, there is no such thing as zero-day threats.”
Seems to me that the new technology AMD is bundling is making secure systems proveable rather than allowing things to run hidden without permission.
This is what I’m talking about.
This type of technique is in the wild, I’ve run in to it twice now … on Macintoshes.
Yes, you read right.
In ’97 on a 68k (Quadra), using “inits”, and last year, ’05 on Xserves and G4s, G5s, using raw disk access and OpenFirmware, and “inits” from Classic.
It gives “owned” an all together new meaning, it fights back. I’ve, at times resorted to screenshots with an external camera.
(Nothing like a _KillPicture in your picts to bounce you in to MacsBug)
It is all about (hardware) disks, disk drivers and ports, but not the way you think of them.
For the last 12 months now people have told me “that’s impossible”, and I show them the print outs, the evidence, the theory/facts (that Ms. Rutkowska just illustrated, rather expertly). The archived disks I have (SCSI, IDE etc.) have, buried in “bad boot blocks” microcode, networking commands and the such.
I’ve been through the wringer with … (name) experts, telling me how “absolutely impossible” this is to implement. Covering their asses just long enough to say “if … please call me”, “well, then you’ll be vindicated”.
I’m not a hardware programmer, but I’m in over my head and know it, but not so much as to see what is obvious.
Why is this so far off the radar?
I won’t get in to a pissing match here.
(clueless users and their cheap shots usually follow).
I mean, really, last year if some people read this interview (with a GIRL, no less) the name calling would be unbelievable.
An Open Challenge to David Maynor and Jon Ellch
Yeah, they’re faking this, they’ll pull the wool over everyones eyes and they use 1337 cracker names, so they can prof … oh, wait.
That’s their real names?
H D Moore
Ain’t hardware great?
I’m just putting this out so folks will look a bit closer and I might get some help, maybe flush out someone else.
Yeah, I NEED this kind of attention.
I got nothing to sell.
I want an expert discussion (not here), with a real expert.
Ask yourself what the ramifications are (now).
ring0 / EFI
2006-11-02 8:54 pmsmitty_one_each
You don’t speculate on evil spirits compiled into the BIOS or whatever they’re calling Palladium this week.
Picking up on the metaphor of your first link, computing is better when it resembles chess, as opposed to poker–you could be the pokee.
In a sense, AV software is making money by using people’s fear – sort of like blackmail/extortion
It is also like religions
With virtualization becoming more and more popular I’m sure the AV vendors will find ways of protecting against this type of hack too. Isn’t that why conferences like Black Hat even exists? To pick up where the AV guys have left off, for whatever reasons?
2006-11-03 6:37 amnetpython
To pick up where the AV guys have left off, for whatever reasons?
And you think they tell you everything at those meetings.
2006-11-03 11:28 pmPhloptical
….guess that argument can be made for both parties, for that matter.
I tend not to believe everything I read either….but that’s me.