Thursday, June 11, 2009

Blue Pill PoC

This few days just attend a malware analysis training. This Blue Pill PoC really catch my eye as i think virtualised malware will be the spot for next coming years.

Note :

Virtualized Malware …
-Example: Joanna RutkowskasBlue Pill PoC
-Exploits AMD64 SVM extensions to move the operating system into the virtual machine (do it ‘on-the-fly’)
-Provides a thin hypervisor to control the OS
-Hypervisor is responsible for controlling “interesting” events inside the guest OS

Which means:
-Switches the real OS to the background and installs the virtual one on the fly –no rebooting or any other changes
-User thinks, that the virtual Environment is the real one
-There is no way to detect the change, because the original OS is not visible and the Rootkit hides all other tracks
-Some theories about higher Entropy in Memory –but this is real academic
-Very emotional discussion on “How to detect Blue Pill”

No comments:

Post a Comment