Anatomy of the Blue Pill attack

A Blue Pill has been stirring up talk lately about the hardening of Windows Vista. No, I'm not talking about Viagra. Rather, security researcher Joanna Rutkowska's Blue Pill attack, a malware exploit introduced recently that has gotten the attention of Microsoft and the security community. So, what exactly is this exploit and what can be done about it? Read on.

It used to be that researchers and attackers were looking at Windows exploits at a much higher level. Null sessions, weak share permissions, Registry hacking and password cracking were the bomb a few years back. Now, with the Blue Pill attack -- and arguably many more to come -- Microsoft is seeing that interested parties in the security community are taking things up a few notches.

More information on Vista vulnerabilities Vista's security features: What to expect It is not here yet, but Windows Vista will provide quite a few security features that administrators will be able to take advantage of right away. Windows Vista deployment issues So you're thinking about deploying Vista soon? Looking to take advantage of better security? Well, there could be some unexpected challenges awaiting you.

The Blue Pill exploit code -- which bypasses Microsoft's digital signature protection for kernel mode drivers -- relies on a set of extensions in the Advanced Micro Devices Inc. (AMD) new 64-bit AMD Athlon processors called Secure Virtual Machine (SVM). With SVM, software developers are able to manipulate processor registers, interrupts, input/output and so on for virtual machine functionality at the hardware level. Ah, the sweet memories of assembly language programming are coming back! The Blue Pill attack itself manipulates kernel mode memory paging and the VMRUN and related SVM instructions that control the interaction between the host (hypervisor) and guest (virtual machine). This permits undetected, on-the-fly placement of the host operating system in its own secure virtual machine allowing for complete control of the system including manipulation by other malware. That's it in a nutshell.

All in all, the Blue Pill discovery is fascinating. Certainly a lot of smart minds are thinking of ways that hardware and software can be manipulated to keep software vendors and processor manufacturers on their toes (Intel included, since this type of attack could affect its virtualization technology, too). Obviously, Microsoft, AMD and the anti-malware vendors still have some work to do, and undoubtedly there will be more virtualization hacks.

End of our virtual worlds?

Should you avoid the 64-bit AMD processors that support SVM? Do you disable SVM in your systems' BIOS? Do you stay away from virtualization technologies altogether? Do you not deploy Vista? Do you wait until your anti-malware vendor comes up with a solution?

The simple answer to all those questions is a resounding no. First of all, the Blue Pill attack is more of a proof of concept that operating systems are never going to be completely bulletproof -- at least not as long as humans are involved. Furthermore, a lot of things have to fall into place in just the right fashion (including administrator-level access) for the Blue Pill exploit to even be possible.

I think we've got much bigger problems to be worried about than a malware weakness affecting a pre-release version of an operating system written for one specific processor architecture that requires administrator access, and won't even survive a reboot! If we can ever get past human laziness and oversight leading to default OS configurations, weak passwords, missing patches, minimal file access controls, Web applications that don't validate input and so on, then (and only then) should we worry about security flaws such as this one making a huge impact in our environments. It's a hard pill to swallow, but we've got to fix the basics first if security's ever going to be improved.

About the author: Kevin Beaver, an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC, spent six long years obtaining his degree in computer engineering, which included a lot of Blue Pill-like bit and byte manipulation. He has more than 18 years of experience in IT and specializes in performing information security assessments regarding compliance and IT governance. Kevin has written six books, including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchWindowsSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Product Flaws and Vulnerabilities Exploit code targets unpatched PowerPoint flaw Debunking the "Blue Pill" Vulnerability Theory New Microsoft Word zero-day exploit discovered MS06-040 review: 'Urgently critical' patch release An introduction to Google Hack Honeypots Blocking peer-to-peer applications Step 1: Blocking peer-to-peer applications Step 3: Application-level filters Step 2: Firewalls Step 4: Software restriction with Group Policy Intrusion Detection and Prevention Rootkit and malware detection and removal guide Office 2007: A look at its security features Hunting down a hacker Use a GPO to defend against Trojan downloads Security scan results: Take them with a grain of salt Stration worm targets Windows machines Rootkits: Managing the threat with prevention measures Password change time frames Challenge 9: The Root of the Problem Q & A: The evolution of spyware Malware and other Windows security threats Prevent malware infection with malware detection tools Does Vista mean the end of malware? Zero-day attack prevention Use patching to protect your network from threats Remove bots from your system -- a four-step process Define server roles, counterattack zero-day threats Harden your network services and contain zero-day threats Step-by-Step Guide: Finding and removing a rootkit Step 1: Is there a problem Step 3: Clean up the mess Malware and other Windows security threats Research RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.