(link dead, sorry)
'Blue Pill' Prototype Creates 100% Undetectable Malware
There's a scary headline for you.
Well, first off this particular pill is only digestible by AMD machines. The author says the exploit isn't due to a bug or flaw; it's just taking advantage of how the AMD virtualization works. Basically it creates a hypervisor "on the fly" (no reboot). Your OS (and, yup, Vista is vulnerable) never knows what hit it: one minute it's running on real hardware and the next it's deep in a virtual machine. Sleep quietly little OS, Daddy is here..
Quick overview: an OS running in a hypervisor should be generally unaware that it is in fact being controlled by something else. A hypervisor could even mess with the bios if EFI is employed, and that means that even powering off and booting from a CD might not wrest control from the Puppet Master hypervisor. This is scary stuff.
However, generally doesn't mean absolutely. For one thing, the existence of the controlling machine means that it is stealing cpu cycles. While it may be able to hide that from a process running in a controlled OS, the loss of time can't be hidden from an outside observer - the hypervisor can't affect your wrist-watch. So while detecting this kind of infection might be more than annoyingly difficult, and eradicating it might move into hellish territory, this isn't HAL and we aren't Dave. Not quite yet, anyway.
Secondly, most hypervisors aren't built to nest: that is, if you are running a hypervisor already, it's probably not going to go to the trouble of letting another hypervisor run under it. The "blue pill" type exploit might make that effort (to remain invisible), but an "honest" VMM (virtual machine manager or hypervisor) is not likely to. If this type of subversion becomes a real threat, I'm quite sure that hypervisors will be explicitly designed to thwart any attempt to be replaced (which might make upgrades quite the tricky proposition, of course). That's the thought behind my title: the best protection against this sort of takeover may be to have a "good" hypervisor already running.
Is this our brave new world? Will the bios of the future have to be a hypervisor to protect the machine from other hypervisors? I think that's probably where we are headed: it makes sense for other reasons: simplification of OSes, easier protection from virii, and now this. Did I say "headed"? Heck, looks like Intel is halfway there already.
What does this mean for companies like VMware? Is it good news because their technology is most likely to be burned into the raw hardware, or bad news because maybe it kills them outright? Where is this all going? What do you think?
More at Introducing Blue Pill
A discussion of Can Operating Systems tell if they're running in a Virtual Machine? is also interesting.
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2012-07-13 Anthony Lawrence