Black Hat Attendee Hacks Vista With Rootkit Technology
Polish researcher Joanna Rutkowska of Singapore-based Coseinc last week showed attendees of the Black Hat conference in Las Vegas how to use her "Blue Pill" technique to hack into the Windows Vista operating system. She used an early beta version of the OS in her demo.
While some applauded Microsoft for displaying its new Vista operating system among some of the world's top software security researchers at the Black Hat hacker conference in Las Vegas last week, others set out to give the software giant a black eye.
Polish researcher Joanna Rutkowska of Singapore-based Coseinc showed an overflowing room of onlookers at the conference how to hack Vista. Rutkowska figured out a way to bypass security measures in the beta version of the operating system that could prevent unsigned code from running.
Rutkowska told attendees in a large ballroom at Ceasars Palace how to use virtualization technology to develop malicious code that is undetectable, much like a rootkit. She even has a name for the malware: Blue Pill.
Singing the Blues
Microsoft had accounted for blockage of unsigned driver software to run on the 64-bit version of Vista, but Blue Pill bypasses the shield and makes light of what Microsoft has widely marketed as its most secure Windows version ever.
"The fact that this mechanism was bypassed does not mean that Vista is completely insecure. It's just not as secure as advertised," Rutkowska said. "It's very difficult to implement a 100 percent-efficient kernel protection."
Microsoft was not immediately available for comment, but has indicated publicly that it is investigating solutions that would thwart the Blue Pill attack. Those solutions would be incorporated into the final release of Vista due out early next year.
It should be noted that Rutkowska used an early test version of Vista in her demonstration and that Vista needs to be running in administrator mode to launch the attack. Microsoft's User Account Control, a Vista feature designed to run a PC with few user privileges, would prevent Rutkowska's attack.
However, Rutkowska explained, there are so many security pop-ups in Windows that many users could merely hit the "accept" button without realizing that they are bypassing the User Account Control designed to foil attacks from malicious code writers.
Once she got past the User Account Control, Rutkowska demonstrated a way to create the stealthy Blue Pill malware. Her technique relies on Pacifica, a Secure Virtual Machine from AMD, to remain undetectable.
Rise of Rootkits
Security analysts are not surprised that researchers found a way to hack Vista. Stealthy rootkits like Blue Pill are gaining the attention of security professionals because they can go undetected on a computer system while they do their dirty work, according to iDefense Senior Engineer Ken Dunham.
While several security companies have reported a drop in malicious code this year, iDefense points to an increase in rootkits late last year that could be skewing the numbers. The point is, Dunham told TechNewsWorld, some of the malicious code is remaining undetected because of rootkit technology.
"We believe rootkits are going to be a major issue going forward because the motives have changed from notoriety to criminal gain," Dunham predicted. "When the motive is for criminal gain it's about being stealthy for survival because the longer you can obtain control over a computer, the more chance you have to exploit it for maximum profit."