Hey all -- back from my holiday in Indo. Feeling very relaxed, but sadly out of touch with recent developments in the world of information security. So this will be a short and highly nerdy post. It's about the Blue Pill -- root-kits that install themselves as virtualisation layers, underneath operating systems, in order to evade detection.

The news is some clever propeller-heads have figured out how to detect them... for now.

ZDNet has reported researchers from Carnegie Melon and Stanford universities in the US have figured out that it's not actually that hard for software to detect when it's dealing with real hardware as opposed to virtualised hardware. Here's the money quote:

No matter how minimal the hostile VMM [virtual machine monitor] is, it must consume physical resources, perturb timings and take measures to protect itself from the guest, leaving it no less susceptible to detection than other VMMs

Now, here's the part that's going to bake your noodle: While it's possible to detect the root-kitting of a normal PC with "hypervisor malware", how on Earth will you detect the Trojaning of a virtual image running on something like a VMWare box?

That's right, a virtualised root-kit affecting a virtualised OS. Try measuring "perturbed timings" then!

I suppose you could bloat up the actual virtualisation layer (like VMWare's hypervisor, for example) with an AV detection engine designed to scan for this sort of stuff, but ye gads, that means running security software at the virtualisation layer to monitor the operating systems that your other security software runs on! It's enough to turn a reasonable person quite insane.

At Hydrapinion we're all about opinions, and here's mine: The latest news from Carnegie Melon and Stanford is fantastic, but virtualised root-kits will remain a significant pain in the arse for a long, long time; at least a four out of 10 on the patented Hydrapinion "ouch" scale.