The Blue Pill is a virtualization based rootkit designed especially for Windows Vista by security researcher Joanna Rutkowska, Founder/CEO of InvisibleThingsLab. Initially demonstrated at Black Hat Briefings 2006 in
Las Vegas on August 3, 2006, on a pre-RTM version of Windows Vista, the Blue Pill has since then evolved,
and was redesigned and rewritten from scratch by Rutkowska and Alexander Tereshkin, InvisibleThingsLab principal researcher. The new Blue Pill was demonstrated at this years Black Hat, following which, the full source code for the rootkit was made available for download. Rutkowska claims that the virtualization based Blue Pill is undetectable.
"The main point was that detecting virtualization is not the same as detecting virtualization based malware. As hardware virtualization technology gets more and more widespread, many machines will be running with virtualization mode enabled, no matter whether blue pilled or not. In that case blue pill-like malware doesn’t need to cheat that virtualization is not enabled, as it’s actually expected that virtualization is being used for some legitimate purposes. In that case using a "blue pill detector", that in fact is just a generic virtualization detector is completely pointless," she stated.
According to Rutkowska, it will be impossible to stop virtualization based malicious code with generic virtualization detectors. Additionally, the security researcher emphasized that the generic virtualization detectors feature a wrong approach to detecting virtualized malware. "we believe that it will always be possible to detect virtualization mode using various tricks and hacks, but: 1) those hacks could be forced to be very complex and 2) in case virtualization is being used on the target computer for some legitimate purposes all those methods fail anyway (see point 1)," Rutkowska added, saying that integrating hacks and tricks into hypervisors is not a valid approach to security. At Black Hat 2007, the x64 Windows Vista, the most secure version of the operating system in Microsoft's perspective, was Rutkowska's preferred target.