Comments on: Undetectable hypervisor rootkit challenge http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/ Embedded security, crypto, software protection Mon, 08 Mar 2010 21:19:29 +0000 http://wordpress.com/ hourly 1 By: Nate Lawson http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/#comment-2489 Nate Lawson Sat, 11 Aug 2007 17:59:22 +0000 http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/#comment-2489 The contest hasn't occurred yet. Based on the code we'd written and the <a href="http://bluepillproject.org/" rel="nofollow">New Blue Pill code</a> Joanna released, our checks would have detected BP. She would then have a chance to review our code, change NBP to detect our particular detector, and this would go on indefinitely (same as AV ecosystem). Joanna has moved on from talking about whether hiding/detecting is possible to "detectors are just hacks and will be too complex to use in the real world". The changing terms of the debate are frustrating, but a natural outcome of the fact that there is no actual virtualized malware in the world. The contest hasn’t occurred yet. Based on the code we’d written and the New Blue Pill code Joanna released, our checks would have detected BP. She would then have a chance to review our code, change NBP to detect our particular detector, and this would go on indefinitely (same as AV ecosystem).

Joanna has moved on from talking about whether hiding/detecting is possible to “detectors are just hacks and will be too complex to use in the real world”. The changing terms of the debate are frustrating, but a natural outcome of the fact that there is no actual virtualized malware in the world.

]]> By: Nate Lawson http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/#comment-2488 Nate Lawson Sat, 11 Aug 2007 17:58:12 +0000 http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/#comment-2488 KubuS: I believe your comment should be addressed to atomico only. I didn't say the particular order of guesses (right/wrong) mattered. Your comment regarding 5 PCs versus 2 PCs 5 times doesn't make sense. Remember, the goal was to protect against random guessing, assuming in the latter case that both PCs were fully reverted back to their original state (to keep each round fully independent). If you have 2 PCs and one of them has BP and one does not, a single guess is binary (left or right has BP), 50% probability. With 5 PCs and each of them has BP or not, each PC is a binary guess (BP or not), 50% probability. Probability-wise, these are EXACTLY the same. KubuS: I believe your comment should be addressed to atomico only. I didn’t say the particular order of guesses (right/wrong) mattered.

Your comment regarding 5 PCs versus 2 PCs 5 times doesn’t make sense. Remember, the goal was to protect against random guessing, assuming in the latter case that both PCs were fully reverted back to their original state (to keep each round fully independent). If you have 2 PCs and one of them has BP and one does not, a single guess is binary (left or right has BP), 50% probability. With 5 PCs and each of them has BP or not, each PC is a binary guess (BP or not), 50% probability. Probability-wise, these are EXACTLY the same.

]]> By: KubuS http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/#comment-2468 KubuS Wed, 08 Aug 2007 03:31:59 +0000 http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/#comment-2468 Peter, for the record, she is Polish not Russian. I don't support the idea of paying any money on the development of BluePill for the contest, however. atomico and Nate: Conditional probability while flipping a coin when the sequence DOES NOT matter? Were you sleeping on classes on the subject or what? It doesn't matter if you guess right 3 times in a row, and than 2 times wrong, or the other way around. There is NO connection between those events, so in this case there is a big difference if you use 5 PCs at once or 2 PCs 5 times in a row. Such probabilities are not comparable. I'm curious about the outcome of this contest though. Peter, for the record, she is Polish not Russian. I don’t support the idea of paying any money on the development of BluePill for the contest, however.

atomico and Nate: Conditional probability while flipping a coin when the sequence DOES NOT matter? Were you sleeping on classes on the subject or what? It doesn’t matter if you guess right 3 times in a row, and than 2 times wrong, or the other way around. There is NO connection between those events, so in this case there is a big difference if you use 5 PCs at once or 2 PCs 5 times in a row. Such probabilities are not comparable.

I’m curious about the outcome of this contest though.

]]> By: Zanon Zealous http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/#comment-2285 Zanon Zealous Fri, 06 Jul 2007 20:30:55 +0000 http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/#comment-2285 2 dk: Right you are, my dear friend!)))) IMHO, this very SE tool is very popular amoung our superstars))) 2 dk:
Right you are, my dear friend!)))) IMHO, this very SE tool is very popular amoung our superstars)))

]]> By: dk http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/#comment-2283 dk Fri, 06 Jul 2007 12:50:49 +0000 http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/#comment-2283 2Zanon Zealous: She is expert in social engineering. =) This PR action about "blue pill" is one of SE tools =))) 2Zanon Zealous:
She is expert in social engineering. =) This PR action about “blue pill” is one of SE tools =)))

]]> By: Zanon Zealous http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/#comment-2282 Zanon Zealous Fri, 06 Jul 2007 07:43:36 +0000 http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/#comment-2282 Joanna, I'm with you! My experience tells me that it's rather easy to trick most of AV progs))) Not 100%, of cource)) But enough to do the job ;-) And then.. well, let them detect)))) I tested my tool with the most popular AV progs some days ago)) The results are as the following: Symantec - Sleeps... Kaspersky - Sleeps... Panda - Sleeps... Avast - Sleeps as well... BitDefender - Sleeps... And only NOD32 is a little bit nervous))) One more thing I want to say is that the lion's share of success falls on so called social engineering)) The primary target to trick is USER, not AV prog! Joanna, I’m with you! My experience tells me that it’s rather easy to trick most of AV progs))) Not 100%, of cource)) But enough to do the job ;-) And then.. well, let them detect)))) I tested my tool with the most popular AV progs some days ago)) The results are as the following:
Symantec – Sleeps…
Kaspersky – Sleeps…
Panda – Sleeps…
Avast – Sleeps as well…
BitDefender – Sleeps…
And only NOD32 is a little bit nervous)))
One more thing I want to say is that the lion’s share of success falls on so called social engineering)) The primary target to trick is USER, not AV prog!

]]>