Anatomy of the Blue Pill attack

A Blue Pill has been stirring up talk lately about the hardening of Windows Vista. No, I'm not talking about Viagra. Rather, security researcher Joanna Rutkowska's Blue Pill attack, a malware exploit introduced recently that has gotten the attention of Microsoft and the security community. So, what exactly is this exploit and what can be done about it? Read on.

It used to be that researchers and attackers were looking at Windows exploits at a much higher level. Null sessions, weak share permissions, Registry hacking and password cracking were the bomb a few years back. Now, with the Blue Pill attack -- and arguably many more to come -- Microsoft is seeing that interested parties in the security community are taking things up a few notches.

More information on Vista vulnerabilities Vista's security features: What to expect It is not here yet, but Windows Vista will provide quite a few security features that administrators will be able to take advantage of right away. Windows Vista deployment issues So you're thinking about deploying Vista soon? Looking to take advantage of better security? Well, there could be some unexpected challenges awaiting you.

The Blue Pill exploit code -- which bypasses Microsoft's digital signature protection for kernel mode drivers -- relies on a set of extensions in the Advanced Micro Devices Inc. (AMD) new 64-bit AMD Athlon processors called Secure Virtual Machine (SVM). With SVM, software developers are able to manipulate processor registers, interrupts, input/output and so on for virtual machine functionality at the hardware level. Ah, the sweet memories of assembly language programming are coming back! The Blue Pill attack itself manipulates kernel mode memory paging and the VMRUN and related SVM instructions that control the interaction between the host (hypervisor) and guest (virtual machine). This permits undetected, on-the-fly placement of the host operating system in its own secure virtual machine allowing for complete control of the system including manipulation by other malware. That's it in a nutshell.

All in all, the Blue Pill discovery is fascinating. Certainly a lot of smart minds are thinking of ways that hardware and software can be manipulated to keep software vendors and processor manufacturers on their toes (Intel included, since this type of attack could affect its virtualization technology, too). Obviously, Microsoft, AMD and the anti-malware vendors still have some work to do, and undoubtedly there will be more virtualization hacks.

End of our virtual worlds?

Should you avoid the 64-bit AMD processors that support SVM? Do you disable SVM in your systems' BIOS? Do you stay away from virtualization technologies altogether? Do you not deploy Vista? Do you wait until your anti-malware vendor comes up with a solution?

The simple answer to all those questions is a resounding no. First of all, the Blue Pill attack is more of a proof of concept that operating systems are never going to be completely bulletproof -- at least not as long as humans are involved. Furthermore, a lot of things have to fall into place in just the right fashion (including administrator-level access) for the Blue Pill exploit to even be possible.

I think we've got much bigger problems to be worried about than a malware weakness affecting a pre-release version of an operating system written for one specific processor architecture that requires administrator access, and won't even survive a reboot! If we can ever get past human laziness and oversight leading to default OS configurations, weak passwords, missing patches, minimal file access controls, Web applications that don't validate input and so on, then (and only then) should we worry about security flaws such as this one making a huge impact in our environments. It's a hard pill to swallow, but we've got to fix the basics first if security's ever going to be improved.

About the author: Kevin Beaver, an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC, spent six long years obtaining his degree in computer engineering, which included a lot of Blue Pill-like bit and byte manipulation. He has more than 18 years of experience in IT and specializes in performing information security assessments regarding compliance and IT governance. Kevin has written six books, including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Patches, alerts and critical updates Microsoft beats the holiday rush, releases patches for IE and Windows Microsoft releases six patches for November Structuring patch management in seven steps Underlying causes of inconsistent patch management Microsoft's Online Desktop Manager caters to small IT shops Microsoft's Patch Tuesday brings a bumper crop of security fixes Act fast with five critical September patches Microsoft's August patches run the gamut Patching third-party browsers adds more work in Windows shops Troubleshooting Microsoft WSUS connectivity issues Microsoft Windows Vista operating system Windows 7 launches, offers salvation from Vista An intro to Windows 7's Deployment Image Servicing and Management tool Guide to converting from Windows XP to Windows 7 Choosing the best way to install images Has Microsoft corrected Vista annoyances in Windows 7? Microsoft's August patches run the gamut Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Combining folder redirection with roaming profiles IPv6 protocol, Windows Vista features simplify peer ad-hoc networking RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary drive-by download  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.