Author Topic: Blue Pill  (Read 7216 times)

0 Members and 4 Guests are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Blue Pill
« on: October 15, 2006, 06:52:19 pm »
Blue Pill is a rootkit with an interesting concept -- it forces Windows into a virtualized environment without knowing it.  It's an impossible-to-detect rootkit being developed (or maybe already developed?) for Vista. 

Read all about it

Keep in mind this same concept can apply to Unix, Linux, Mac, and whatever -- it just hasn't yet.

Offline Explicit

  • Hero Member
  • *****
  • Posts: 717
  • Hail Bender!
    • View Profile
Re: Blue Pill
« Reply #1 on: October 15, 2006, 07:18:20 pm »
Red Pill.
Quote
Like all things in life, pumping is just a primitive, degenerate form of bending.

Quote
Hey, I don't tell you how to tell me what to do, so don't tell me how to do what you tell me to do! ... Bender knows when to use finesse.

[13:41:45]<@Fapiko> Why is TehUser asking for wang pictures?
[13:42:03]<@TehUser> I wasn't asking for wang pictures, I was looking at them.
[13:47:40]<@TehUser> Mine's fairly short.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Blue Pill
« Reply #2 on: October 15, 2006, 07:20:36 pm »
Red Pill.
The idea behind the "blue pill" is that the malware feeds the "blue pill" to your computer, it falls asleep, and wakes up inside the virtual environment ("the matrix"). 

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Blue Pill
« Reply #3 on: October 15, 2006, 07:21:53 pm »
Old news. IIRC, this was used against Vista before, and it needed administrator privilidges.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: Blue Pill
« Reply #4 on: October 15, 2006, 07:26:40 pm »
You had to jump through like 10 UAC prompts before it let you do it.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline Explicit

  • Hero Member
  • *****
  • Posts: 717
  • Hail Bender!
    • View Profile
Re: Blue Pill
« Reply #5 on: October 15, 2006, 07:31:44 pm »
Red Pill.
The idea behind the "blue pill" is that the malware feeds the "blue pill" to your computer, it falls asleep, and wakes up inside the virtual environment ("the matrix").

I know, I read it.  :P  For some reason, though, Red Pill just stuck out to me when I went through the article.
Quote
Like all things in life, pumping is just a primitive, degenerate form of bending.

Quote
Hey, I don't tell you how to tell me what to do, so don't tell me how to do what you tell me to do! ... Bender knows when to use finesse.

[13:41:45]<@Fapiko> Why is TehUser asking for wang pictures?
[13:42:03]<@TehUser> I wasn't asking for wang pictures, I was looking at them.
[13:47:40]<@TehUser> Mine's fairly short.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Blue Pill
« Reply #6 on: October 15, 2006, 09:17:21 pm »
Old news. IIRC, this was used against Vista before, and it needed administrator privilidges.
You had to jump through like 10 UAC prompts before it let you do it.
Yeah, but this is besides the infection vector.  There are plenty of viruses/rootkits around that hide themselves in different and creative ways, like the article lists at the top.  This is yet another way to hide an infection on a system. 

And yeah, although this rootkit is specifically for Vista, it's a new and unique concept.  The idea of secretly running an OS within a virtual environment is interesting and scary.

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Blue Pill
« Reply #7 on: October 16, 2006, 07:50:48 pm »
This idea was kind of done on a much smaller scale with the way WoWGlider ran WoW. It ran WoW as a limited virtual user un-allowed to scan process lists (not that it mattered, because WoWGlider changed it's EXE header, randomly changed memory thingies, and gave itself a random window name and process name, and was hidden in the task list) and removed some kind of debugging flags so that WoW couldn't tell you were reading it's memory, and then simulated true keyboard/mouse events instead of writing memory so that it was impossible to detect that anything was wrong. If only Mercury had used his power for good. :)
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Blue Pill
« Reply #8 on: October 17, 2006, 04:55:01 am »
Yay for my decision long ago to stick with Intel hardware since AMD is the attack vector for this!  :D
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Blue Pill
« Reply #9 on: October 17, 2006, 12:25:14 pm »
At least AMD's chips were never released with a terrible floating point error!

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Blue Pill
« Reply #10 on: October 17, 2006, 12:33:47 pm »
At least AMD's chips were never released with a terrible floating point error!

Oh man, you're right.  A floating point error is much worse than undetectable malware....
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Blue Pill
« Reply #11 on: October 17, 2006, 12:42:32 pm »
Is it going to interfere with medical and aviation equipment the same way Intel's floating point error did? :P

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Blue Pill
« Reply #12 on: October 17, 2006, 02:02:39 pm »
Is it going to interfere with medical and aviation equipment the same way Intel's floating point error did? :P

Potentially.  Fortunately for me, I've never operated medical nor aviation equipment, so it wasn't a problem!
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Blue Pill
« Reply #13 on: October 17, 2006, 02:12:34 pm »
Potentially.  Fortunately for me, I've never operated medical nor aviation equipment, so it wasn't a problem!

It would have effected you just as easily.  I'm just saying it effected sensitive equipment.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Blue Pill
« Reply #14 on: October 17, 2006, 03:10:00 pm »
Potentially.  Fortunately for me, I've never operated medical nor aviation equipment, so it wasn't a problem!

It would have effected you just as easily.  I'm just saying it effected sensitive equipment.
It created sensitive equipment?  :-o
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.