Blue Pill (malware)

From Wikipedia, the free encyclopedia

Blue Pill is the codename for a somewhat controversial rootkit based on virtualization technology that targets Microsoft's Windows Vista operating system. Blue Pill uses AMD Pacifica virtualization technology, but reportedly could be ported to use Intel Vanderpool. It was designed by Joanna Rutkowska and originally demonstrated at the Black Hat Briefings on August 3, 2006.

According to the author, by using Pacifica, Blue Pill would be able to trap a running instance of the operating system into a virtual machine, and would then act as a hypervisor, with complete control of the computer. Joanna Rutkowska claims that, since any detection program could be fooled by the hypervisor, such a system would be "100% undetectable".^[1] (latest version of freeware utility Hypersight Rootkit Detector can detect and block Blue Pill and other virtualization-level rootkits)

This assessment, repeated in numerous press articles, is disputed: AMD issued a statement dismissing the claim of full undetectability.^[2] Some other security researchers and journalists also dismissed the concept as inaccurate.^[3]^[4] In 2007, a group of researchers led by Thomas Ptacek of Matasano Security challenged Rutkowska to put Blue Pill against their rootkit detector software at this year's Black Hat conference,^[5] but the deal was deemed a no-go following Joanna's request for $384,000 in funding as a prerequisite for entering the competition.^[6] Rutkowska and Alexander Tereshkin countered detractors' claims during a subsequent Black Hat speech, arguing that the proposed detection methods were inaccurate.^[7]^[8]

The source code for Blue Pill has since been made public^[9].

The name Blue Pill is a reference to the blue pill from the Matrix film trilogy.

See also: Red Pill a technique to detect the presence of a virtual machine also developed by Joanna Rutkowska.[1]