The Undetectable Malware That Real Hackers Don’t Seem to Want

LAS VEGAS — Call back the Blue Pill? That was the undetectable rootkit that was all the talk at Black Lid five years ago. Information technology seemed scary. The Blue Pill was one of a new spawn of malicious programs that would slip themselves underneath the operating system in a virtual machine hypervisor and silently tamper with the computer's kernel in order to do their bad stuff.

Researchers still developed equally technical countermeasures to detect these sneaky attacks.

Five years ago, virtualized rootkits seemed like a very dreaded possibility, but today not so much. Why? Because they're really hard to write, and different, easy-to-usance technologies work just fine, thank you precise much.

Alex Stamos, a founder of NCC Group's iSec Partners spends a lot of time investigating computer intrusions and he said that he's never seen a Blue Pill type rootkit in the real human race — even in the most technically sophisticated attacks.

"There's a lot of talks present at coloured hat about the race to environ zero, properly. Of people active out and expression I wrote a better rootkit that you can't detect," he said at Black Hat this hebdomad. "It turns out that cypher in the real world actually does any of that stuff. You ne'er see Blueness Pills. You never see people doing hypervisor rootkits. You rarely run into real state-sponsored attackers even releas into the core"

When you start messing around with the Windows kernel, you're playing with sack, OR in Windows terms, you're playacting with the Blue Sort of Destruction. Software that kit and caboodle fine-grained on Windows 7, might crash on Vista or XP. And a frantic call for IT support is just the kind of attention that sophisticated hackers want to stave off. So instead they write rootkits that run in usermode — software program that could be heard by programs running on the data processor — and they expend a variety of reliable tricks to make them hard to detect. They'll name their rootkit after a service that you're likely to assure and they'll mixup way the software of put across conjointly so that it skirts antivirus detection, for example.

Blue Pill's author Joanna Rutkowska pretty much agrees with Stamos. "The traditional methods of system via media (either via usermode or traditional kernelmode rootkits) notwithstandin work just fine. Really, what new (gamechanging) OS protections against compromises have been added in the live 5 years to Windows or Mackintosh?" she says.

For now at least, the Blue angel Pill is simply something you see in the movies.

Robert McMillan covers data processor security measures and world-wide technology breaking news for The IDG News Service. Follow Robert along Twitter at @bobmcmillan . Henry Martyn Robert's email address is robert_mcmillan@idg.com