Four well-known researchers challenged rootkit guru Joanna Rutkowska on Thursday to prove that a rootkit can be made undetectable.
The four researchers -- independent Dino Dai Zovi, Peter Ferrie of Symantec, Nate Lawson of Root Labs (corrected) and Thomas Ptacek of Matasano -- stated that any rootkit that runs on the host of a virtual environment, leaves so many telltale signs that it can be detected.
Last year, Dai Zovi and Rutkowska unveiled separate projects that use the hypervisor virtualization technology on AMD and Intel processors to create hard-to-detect rootkits, a technique dubbed "hyperjacking". Rutkowska called her project "Blue Pill," after the object in the movie The Matrix that would leave the protagonist Neo in the virtualized environment still controlled by the machines.
In answering the challenge in a blog post on Thursday, Rutkowska said she will take the bet, but only if the challengers found a sponsor to pay her and her company's co-founder for the time to create the code at a whopping $416,000 price tag.
"Our current Blue Pill has been in the development for only about two months -- please note that we do not have rights to use the previous version developed for (my previous company) -- and it is more of prototype, with primary use for our training ... rather then a 'commercial grade rootkit'," she said, adding that to bring Blue Pill up to snuff would be a six-month project for two people and named a rate of $200 per hour to create the code.
Rutkowska outlined additional rules that she believes would make the contest a fair challenge, including running five machines, which would reduce the probability that random guesses would result in the correct identification of infected machines to 3 percent. Symantec is the parent company of SecurityFocus.
Joanna's respond is rather interesting. She wants to be paid for her time and effort, like any security researcher. Those that challenged her understand this as well, especially Dino Dai Zoni.
He found and developed a new zeroday in Quicktime during CanSecWest...but only after money was offered for reward. He didn't want the free Apple laptop, he wanted the money.
The money made the time and effort worth it...will they extend the same honor to Joanna?The challengers have a good case for claiming that detectors are favored to win, but only time and perhaps a large amount of coding will set the record straight....for now.
The Gambit has been played, will it be accepted....