Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Undetectable malware?

Options
  • 29-06-2006 3:36pm
    #1
    NutJob
    Closed Accounts Posts: 884 ✭✭✭


    http://www.eweek.com/article2/0,1895,1983037,00.asp

    Wonderful VmMalware one more step towards an independant Malware Operating system:mad:

    It is sort of detectable just cant figure out how to do it without killing driver support


Comments

  • Options
    #2
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    i think this is nothing more than a PR stunt by the company COSEINC.
    Why?

    First, the idea of a Virtual Machine/Operating System Emulation used in malware is nothing new, as it says so on that page & was announced some time ago by University of Michigan.

    The idea of a virtual machine rootkit isn't entirely new. Researchers at Microsoft Research and the University of Michigan have created a VM-based rootkit called "SubVirt" that is nearly impossible to detect because its state cannot be accessed by security software running in the target system.

    "The idea behind Blue Pill is simple: your operating system swallows the Blue Pill and it awakes inside the Matrix controlled by the ultra thin Blue Pill hypervisor. This all happens on-the-fly (i.e. without restarting the system) and there is no performance penalty and all the devices," she explained.

    simple, what? :eek:
    what is she on about? "awakes inside the Matrix".. ok :p
    Blue Pill is being developed exclusively for COSEINC Research and will not be available for download. However, Rutkowska said the company is planning to organize trainings about Blue Pill and other technologies where the source code would be made available.

    note the use of the word exclusively
    so, no public scrutiny of code, no testing..nada, just take COSEINC word that this software is "100% undetectable" & 100% written by Joanna.

    only people to have access will apparently be at organized training courses..meaning $$$ *kerching* for COSEINC Research.

    i don't doubt that Joanna wrote some code, but most of it probably came from other source code found on the internet already available & wouldn't neccessarily be in any way exclusive.

    Joanna has a bad habit of hacking up other peoples code & putting her own stamp on it, not that there is anything wrong with that these days..its just that i believe credit should be given to original authors where its due.

    And she has given credit in past, but this time her company may be having the final say, hence the secrecy of the code.

    unless COSEINC actually release some code to show how their "blue pill" works, i wouldn't bother paying attention to this at all.

    for all we know, its probably the same code researchers at Microsoft & University of Michigan wrote, only modified.


  • Options
    #3
    NutJob
    Closed Accounts Posts: 884 ✭✭✭NutJob


    I don’t see VM as the future of malware as its a dead giveaway ur running on a vm when you look at things like display drivers being named as "Vmware" and such like.

    I see malwares as having its own micro kernel for want of a better description and using its own routines to raw read the disk for file and registry access. The Less hooks on windows apis the harder it is to track down.

    Certain elements of VM technology could be of use like the virtualization functionality may be of use but my assembler is getting rusty and i haven’t even referenced what intels virtualization stuff.

    As for Vm malware being nothing new thats true as i remember seeing i386 demo of dropping a 386cpu or better into debug mode and using that to hook memory reads so the basics have been part of the hardware for as long as i an remember (yes this is undocumented intel stuff and if you can find it Infected Voice eZaine) Though it was never in any way practical and broke other software(windows 95 did run and win3.11 didnt care either)

    Completly agree with the PR stunt statement and yes someones lab looks like it has the matrix box set. But this kind of stuff is how u get PHds paid for.


    The code is no doubt pieced together form scraps of internet code hell i live on google myself looking at scraps of code and samples of bits and bobs ....... Who doesnt from what i can see. There is a difference petween refrenceing and copying though.


  • Options
    #4
    Martyr
    Closed Accounts Posts: 1,567 ✭✭✭Martyr


    this is the "blue pill"
    note, XEN has been available for some time now & uses technology like AMDs IOMMU

    http://www.amd.com/us-en/assets/content_type/white_papers_and_tech_docs/34434.pdf
    With Xen virtualization, a thin software layer known as the Xen hypervisor is inserted between the server’s hardware and the operating system. This provides an abstraction layer that allows each physical server to run one or more “virtual servers,” effectively decoupling the operating system and its applications from the underlying physical server.
    The Xen hypervisor is a unique open source technology, developed collaboratively by the world’s best engineers at over 20 of the most innovative data center solution vendors, including Intel, AMD, Cisco, Dell, Egenera, HP, IBM, Mellanox, Network Appliance, Novell, Red Hat, SGI, Sun, Unisys, Veritas, Voltaire, and of course, XenSource. Xen is licensed under the GNU General Public License (GPL2).

    And best of all, as an open source technology, Xen is available free for download. XenSource also provides simple tools for the community to download, install, test and develop using Xen.

    you can download it here

    http://www.xensource.com/products/downloads/index.html


Advertisement