http://matasanochargen.disqus.com/enWed, 04 Jul 2007 15:05:12 -0000http://www.matasano.com/log/895/joanna-we-can-detect-bluepill-let-us-prove-it/#comment-2322862Is anyone else as excited for blackhat this year as any in recent history? I'm looking forward to this showdown!Nathan McFetersWed, 04 Jul 2007 15:05:12 -0000http://www.matasano.com/log/895/joanna-we-can-detect-bluepill-let-us-prove-it/#comment-2322861No, Joanna's rootkit doesn't persist itself.Thomas PtacekMon, 02 Jul 2007 12:28:39 -0000http://www.matasano.com/log/895/joanna-we-can-detect-bluepill-let-us-prove-it/#comment-2322860Does the rootkit have to be persistent? Can the system BIOS be write protected?<br><br>If so, there is always Yi Min Wang's Ghostbuster trick from Microsoft Research.<br><br>Persistent stealthy rootkits, in the face of a defender who can reboot the system and has a trusted BIOS and trusted media, are always detectible, unless the rootkit author solves the program-intent-detection problem (aka, the AV version of the Halting problem), gives up on stealth (not a rootkit), or gives up on persistent (reboot clears rootkit)Nicholas WeaverMon, 02 Jul 2007 00:35:21 -0000http://www.matasano.com/log/895/joanna-we-can-detect-bluepill-let-us-prove-it/#comment-2322859I'm assuming it's Vista, but don't have a strong opinion.Thomas PtacekThu, 28 Jun 2007 20:14:05 -0000http://www.matasano.com/log/895/joanna-we-can-detect-bluepill-let-us-prove-it/#comment-2322858Will you agree on an OS to use? XP? Vista?TechnocratThu, 28 Jun 2007 18:10:59 -0000http://www.matasano.com/log/895/joanna-we-can-detect-bluepill-let-us-prove-it/#comment-2322857I don't think having our source code is going to help her make Blue Pill less detectable, even in the medium-short term. <br><br>What I do like is, "you can't peg the CPU for more than a second because it will be a drag for users". Like the performance cost of having SVM/VTX enabled isn't?Thomas PtacekThu, 28 Jun 2007 17:08:04 -0000http://www.matasano.com/log/895/joanna-we-can-detect-bluepill-let-us-prove-it/#comment-2322856I've posted my response to Joanna <a href="http://rdist.root.org/2007/06/28/undetectable-hypervisor-rootkit-challenge/" rel="nofollow">here</a>.NateThu, 28 Jun 2007 14:59:55 -0000http://www.matasano.com/log/895/joanna-we-can-detect-bluepill-let-us-prove-it/#comment-2322855Yeah, and she wants you to find sponsors to pay her $384,000 so she can play! Six months, two developers @ $200/hr per developer to develop blue pill = lame.one.miguelThu, 28 Jun 2007 14:19:52 -0000http://www.matasano.com/log/895/joanna-we-can-detect-bluepill-let-us-prove-it/#comment-2322854Looks like Joanna has turned the contest around and given you the short straw, haha. Her blog post pretty much says that it's not even half finished so of course you'll be able to detect it with all your fancy timing tricks. Not to mention she'll get the source code to these tricks after the competition and it's not like you don't already have a similar rootkit so you don't get much out of that transaction.<br><br>This is interesting indeed!Fionnbharr DaviesThu, 28 Jun 2007 10:26:57 -0000