SillyDog701

[DJGM]

Here's something that could have extremely devastating consequences for the I.T. industry as a whole.

'Blue Pill' Prototype Creates 100% Undetectable Malware
By Ryan Naraine
June 28, 2006

A security researcher with expertise in rootkits has built a working prototype of new technology
that is capable of creating malware that remains "100 percent undetectable," even
on Windows Vista x64 systems.

Joanna Rutkowska, a stealth malware researcher at Singapore-based IT security firm COSEINC,
says the new Blue Pill concept uses AMD's SVM/Pacifica virtualization technology to create
an ultra-thin hypervisor that takes complete control of the underlying operating system.

For most of the article, you'd think this would only systems compatible with 64bit versions of Windows, but . . .

Rutkowska stressed that the Blue Pill technology does not rely on any bug of the underlying
operating system. "I have implemented a working prototype for Vista x64, but I see no
reasons why it should not be possible to port it to other operating systems,
like Linux or BSD which can be run on x64 platform," she added.

100% undetectable cross platform malware, albeit only for 64bit OSes, which is bad enough. But, if it's leaked, and
hackers port it to 32bit OSes, the entire I.T. industry would be literally devasted in a very short space of time!

Later in the same article . . .

Blue Pill is being developed exclusively for COSEINC Research and will not be available
for download. However, Rutkowska said the company is planning to organize trainings
about Blue Pill and other technologies where the source code would be made available.

So it won't be officially available in binary form, but the source code will be available at training sessions and
seminars. IMHO, allowing anyone access to such dangerous code, is unimaginable stupidity, as it'd only
take one careless or malicious delegate to cause all hell to break loose for the entire I.T. industry.

Even if the code stays at COSEINC, one careless or malicious employee could cause the same devastation.

If COSEINC has any sense whatsoever, they should destroy every copy they have of this code, RIGHT NOW.

Read the full article here . . .

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060516 SeaMonkey/1.0.2

[Don_HH2K]

Just the fact that they leaked how this thing works is bad in itself.

Seeing that they're using a hypervisor to do this, some hacker could reverse-engineer this thing to work with a load of common packet drivers and assemble it for a 32-bit processor rather than a 64-bit processor, perhaps even to run without Pacifica or VT. That way, it'd run completely independently, on PCs all the way back to 386-based machines, and could be loaded through a simple program saved to your drive's bootsector. Have it interface with your BIOS's keystroke buffer, and you'd have a completely undetectable keylogger that could spit packets out to who-knows-where.

Leaking the source code to this would obviously be even worse, since it'd give hackers a head-start on how to code the thing.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.4) Gecko/20060516 Donzilla/1.1 (WML/1.3)