Windows Vista BluePill Rootkit reloaded with Hyper-V support

The BluePill is the code-name used by Joanna Rutkowska, Founder/CEO of Invisible Things Labs, formerly a security researcher with COSEINC, for the development of a virtualization-based rootkit designed to compromise Windows Vista back in 2006. According to Rutkowska, the BluePill is set up to deliver an ultra-thin hypervisor that places itself between the hardware and […]

The BluePill is the code-name used by Joanna Rutkowska, Founder/CEO of Invisible Things Labs, formerly a security researcher with COSEINC, for the development of a virtualization-based rootkit designed to compromise Windows Vista back in 2006. According to Rutkowska, the BluePill is set up to deliver an ultra-thin hypervisor that places itself between the hardware and the operating system. The infected platform continues to run inside a virtual machine controlled by the attacker, and because of this no security solutions deployed  inside the operating system will be able to detect the underlying rootkit. Well, since 2006, a new
version of the the BluePill, authored by Alexander Tereshkin, Principal Researcher Invisible Things Lab, has been evolving. The reloaded BluePill is now capable of running full hypervisors such as Virtual PC 2007.

"We can now virtualize complex hypervisors, like e.g. Virtual PC 2007 or Virtual Box with SVM turned on (BTW, we can also run VMWare Workstation, but that doesn't count, as on AMD processors it doesn't make use of SVM instructions)," Rutkowska explained. "I couldn't resist not to use my favorite Matrix analogy to describe what we do here: imagine Neo, who bravely followed The White Rabbit and finally decided to swallow The Red Pill, eventually awakes on The Nebuchadnezzar ship just to find out later that this whole 'real world' is... just another Matrix..."

This means that virtual machines can now be run inside a bluepilled operating system. Rutkowska even provided a screenshot of Windows XP running as a guest operating system inside a Virtual PC 2007 virtual machine installed on top of a Windows Vista platform that has been bluepilled. "The brand new source code with full virtualization support on AMD is now available on bluepillproject.org (you will need WDK6000 or newer to build it). Note that the (experimental) code for nested virtualization on Intel VT-x has been removed in this public version, leaving only the basic functionality if we run NBP on an Intel processor. Also, please note that the code for AMD-v, even though it proved to be very stable, is still just a proof of concept," Rutkowska added.

Source:→ Softpedia

Windows Vista, BluePill, Rootkit, Hyper-V, Hypervisior, Virtualization, Virtual PC