Joanna Rutkowska of "Invisible Things" Blue Pill Hypervisor rootkit fame has a problem. It's about 6 foot+ something, dresses in all black and knows how to throw down both in prose and in practice.
Joanna and crew maintain that they have the roughed-out prototype that supports their assertion that their HyperJacking malware is undetectable. Ptacek and his merry band of Exploit-illuminati find this a hard pill to swallow and reckon they have a detector that can detect the "undetectable."
They intend to prove it. This is awesome! It's like the Jackson/Lidell UFC fight. You don't really know who to "root" for, you just want to be witness to the ensuing carnage!
We've got a stare down. Ptacek and crew have issued a challenge that they expect -- with or without Joanna's participation -- to demonstrate successfully at BlackHat Vegas:
Joanna, we respectfully request terms under which you’d agree to an “undetectable rootkit detection challenge”. We’ll concede almost anything reasonable; we want the same access to the (possibly-)infected machine than any antivirus software would get.
The backstory:
Dino Dai Zovi, under Matasano colors, presented a hypervisor rootkit (“Vitriol”) for Intel’s VT-X extensions at Black Hat last year, at the same time as Joanna presented BluePill for AMD’d SVM.
We concede: Joanna’s rootkit is coolor than ours. I particularly liked using the debug registers to grab network traffic out of the drivers. We stopped weaponizing Vitriol.
Peter Ferrie, the Symantec branch of our Black Hat team, releases a kick-ass paper on hypervisor detection. Peter’s focus is on fingerprinting software hypervisors (like VMWare), but he also comes up with a clever way to detect hardware virtualization.
Nate Lawson, Dino, and I are, simultaneously, working on hardware rootkit detection techniques.
Nate, Peter, Dino, and I join up to defend our thesis at Black Hat: if you surreptitiously “hyperjack” an OS, enabling hardware virtualization (or replacing or infecting an existing hypervisor), you introduce so many subtle changes in system behavior —- timing and otherwise —- that you’re bound to be detectable.
...and Joanna respondeth, signaling her "readiness" and conditions for the acceptance of said challenge:
Thomas Ptacek and company just came up with this funny challenge to test our Blue Pill rootkit. And, needles to say, the Invisible Things Lab team is ready to take their challenge, however with some additional requirements, that would assure the fairness of the contest.
First, we believe that 2 machines are definitely not enough, because the chance of correct guess, using a completely random (read: unreliable) detection method is 50%. Thus we think that the reasonable number is 5 machines. Each of them could be in a state 0 or 1bluepill.exe and bluepill.sys
The .sys file is digitally signed, so it loads without any problem (we could use one of our methods for loading unsigned code on vista that we're planning to demonstrate at BH, but this is not part of the challenge, so we will use the official way).
The bluepill.exe takes one argument which is 0 or 1. If it's 1 it loads the driver and infects the machines. If it's 0 it also loads the driver, but the driver does not infect the machine.
So, on each of the 5 machines we run bluepill.exe with randomly chosen argument, being 0 or 1. We make sure that at least one machine is not infected and that at least one machine is infected.
After that the detection team runs their detector.exe executable on each machine. This program can not take any arguments and must return only one value: 0 or 1. It must act autonomously -- no human assistance when interpreting the results.
The goal of the detection team is to correctly mark each machine as either being infected (1) or not (0). The chance of a blind guess is:(i.e. infected or not). On each of this machines we install two files:
1/(2^5-2) = 3%
The detector can not cause system crash or halt the machine -- if it does they lose. The detector can not consume significant amount of CPU time (say > 90%) for more then, say 1 sec. If it does, then it's considered disturbing for the user and thus unpractical.
The source code of our rootkit as well as the detector should be provided to the judges at the beginning of the contests. The judges will compile the rootkit and the detector and will copy the resulting binaries to all test machines.
After the completion of the contest, regardless of who wins, the sources for both the rootkit and the detector will be published in the Internet -- for educational purpose to allow others to research this subject.
Our current Blue Pill has been in the development for only about 2 months (please note that we do not have rights to use the previous version developed for COSEINC) and it is more of a prototype, with primary use for our training in Vegas, rather then a "commercial grade rootkit". Obviously we will be discussing all the limitations of this prototype during our training. We believe that we would need about 6 months full-time work by 2 people to turn it into such a commercial grade creature that would win the contest described above. We're ready to do this, but we expect that somebody compensate us for the time spent on this work. We would expect an industry standard fee for this work, which we estimate to be $200 USD per hour per person.
If Thomas Ptacek and his colleges are so certain that they found a panacea for virtualization based malware, then I'm sure that they will be able to find sponsors willing to financially support this challenge.
As a side note, the description for our new talk for Black Hat Vegas has just been published yesterday.
So, if you get past the polynomial math, the boolean logic expressions, and the fact that she considers this challenge "funny," reading between the HyperLines, you'll extract the following:
- The Invisible Things team has asserted for some time that their rootkit is 100% undetectable
- They've worked for quite sometime on their prototype, however it's not "commercial grade"
- In order to ensure success in winning the competition and thus proving the assertion, they need to invest time in polishing the rootkit
- They need 5 laptops to statistically smooth the curve
- The Detector can't impact performance of the test subjects
- All works will be Open Sourced at the conclusion of the challenge
(Perhaps Alan Shimel can help here! ;) ) and, oh, yeah... - They have no problem doing this, but someone needs to come up with $416,000 to subsidize the effort to prove what has already been promoted as fact
That last requirement is, um, unique.
Nate Lawson, one of the challengers, is less than impressed with this codicil and respectfully summarizes:
The final requirement is not surprising. She claims she has put four person-months work into the current Blue Pill and it would require twelve more person-months for her to be confident she could win the challenge. Additionally, she has all the experience of developing Blue Pill for the entire previous year.
We’ve put about one person-month into our detector software and have not been paid a cent to work on it. However, we’re confident even this minimal detector can succeed, hence the challenge. Our Blackhat talk will describe the fundamental principles that give the detector the advantage.
If Joanna’s time estimate is correct, it’s about 16 times harder to build a hypervisor rootkit than to detect it. I’d say that supports our findings.
I'm not really too clear on Nate's last sentence as I didn't major in logic in high school, but to be fair, this doesn't actually discredit Joanna's assertion; she didn't say it wasn't difficult to detect HV rootkits, she said it was impossible. Effort and possibility are mutually exclusive.
This is going to be fun. Can't wait to see it @ BlackHat.
See you there!
/Hoff
ecta