blue pill rootkit

The blue pill rootkit is malware that executes as a hypervisor to gain control of computer resources. The hypervisor installs without requiring a restart and the computer functions normally, without degradation of speed or services, which makes detection difficult.

The original blue pill implementation was based on AMD virtualization (AMD-V), a set of hardware extensions for the X86 processor architecture. The processor extensions offload repetitive and inefficient work from software, which improves virtual machine (VM) performance on the physical server. However, because AMD-V is designed to operate seamlessly, the hypervisor is invisible to the operating system and has full privileges to make any change desired. The malware can intercept any internal communication between the operating system and system hardware and software and send a false response. The blue pill code was subsequently adapted for the Intel VT-x (virtualization technology) environment.

Joanna Rutkowska, a security researcher for Singapore-based IT security firm COSEINC, developed the Blue Pill rootkit as proof-of-concept malware, which she demonstrated at the 2006 Black Hat Briefings conference. Rutkowska also developed Redpill, a series of techniques used to detect a blue pill hypervisor.

The name blue pill is a reference to the science fiction movie The Matrix. Neo, the main character, is offered a choice between a blue pill, which will allow him to live obliviously in the virtual reality environment of The Matrix, and a red pill that will allow him to understand his situation and ultimately escape from The Matrix. Morpheus (Neo’s guide) explains: "This is your last chance. After this, there is no turning back. You take the blue pill -- the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill -- you stay in Wonderland and I show you how deep the rabbit-hole goes."

Blue pill and red pill have become symbolic in pop culture for willful ignorance versus seeking the truth, however difficult that truth might be.

See also: hardware virtualization, BIOS rootkit attack, virtual machine escape, hypervisor security, virtualization

This was last updated in March 2011

Continue Reading About blue pill rootkit

Dig Deeper on Application and platform security