blue pill malware

This, and other similar reports is suggesting a fundamental security breech exists in Windows Vista x64. Is there any validity too this?
Here's the link, but it's prevalent in searches as well:
http://www.eweek.com/article2/0,1895,1983037,00.asp
-- Mark
Keeping the fun in dysfunctional!

Hmmm... The line in there that I noticed was
...snip.. "the new Blue Pill concept uses AMD's SVM/Pacifica virtualization technology to create an ultra-thin hypervisor that takes complete control of the underlying operating system." ..snip..
Wonder if that means it only effects AMD systems...lol
-- Takali S. Omega Manager, Raven Mill Computers Owner, SynTaks E-Works Host of TechTAK on KFAR 660am ------------------------------------------------------------ ASUS P5N32SLI Deluxe Intel Presler Pentium D 950 2GB OCZ DDR2-800 2x eVGA 7600 SLI 2x WD 250 SATA2 -------------------------------------
"Mark D. VandenBerg" wrote in message | This, and other similar reports is suggesting a fundamental security breech | exists in Windows Vista x64. Is there any validity too this? | | Here's the link, but it's prevalent in searches as well: | | http://www.eweek.com/article2/0,1895,1983037,00.asp | | -- | Mark | | Keeping the fun in dysfunctional! |

The AMD Pacifica and Intel VT technologies are different.
"Raven Mill @techtak.com>" <ravenmill<nospam> wrote in message

Hmmm... The line in there that I noticed was
..snip.. "the new Blue Pill concept uses AMD's SVM/Pacifica virtualization technology to create an ultra-thin hypervisor that takes complete control of the underlying operating system." ..snip..
Wonder if that means it only effects AMD systems...lol
-- Takali S. Omega Manager, Raven Mill Computers Owner, SynTaks E-Works Host of TechTAK on KFAR 660am ------------------------------------------------------------ ASUS P5N32SLI Deluxe Intel Presler Pentium D 950 2GB OCZ DDR2-800 2x eVGA 7600 SLI 2x WD 250 SATA2 -------------------------------------
"Mark D. VandenBerg" wrote in message | This, and other similar reports is suggesting a fundamental security breech | exists in Windows Vista x64. Is there any validity too this? | | Here's the link, but it's prevalent in searches as well: | | http://www.eweek.com/article2/0,1895,1983037,00.asp | | -- | Mark | | Keeping the fun in dysfunctional! |

True enough, but the part that should concern people is that, if this concept is true, this is not specific to Windows, but viable with Linux as well.
-- Mark
Keeping the fun in dysfunctional!
"Colin Barnhorst" wrote in message

The AMD Pacifica and Intel VT technologies are different.
"Raven Mill @techtak.com>" <ravenmill<nospam> wrote in message Hmmm... The line in there that I noticed was
..snip.. "the new Blue Pill concept uses AMD's SVM/Pacifica virtualization technology to create an ultra-thin hypervisor that takes complete control of the underlying operating system." ..snip..
Wonder if that means it only effects AMD systems...lol
-- Takali S. Omega Manager, Raven Mill Computers Owner, SynTaks E-Works Host of TechTAK on KFAR 660am ------------------------------------------------------------ ASUS P5N32SLI Deluxe Intel Presler Pentium D 950 2GB OCZ DDR2-800 2x eVGA 7600 SLI 2x WD 250 SATA2 -------------------------------------
"Mark D. VandenBerg" wrote in message | This, and other similar reports is suggesting a fundamental security breech | exists in Windows Vista x64. Is there any validity too this? | | Here's the link, but it's prevalent in searches as well: | | http://www.eweek.com/article2/0,1895,1983037,00.asp | | -- | Mark | | Keeping the fun in dysfunctional! |

Depends on the delivery package.
"Mark D. VandenBerg" wrote in message

True enough, but the part that should concern people is that, if this concept is true, this is not specific to Windows, but viable with Linux as well.
-- Mark
Keeping the fun in dysfunctional!
"Colin Barnhorst" wrote in message The AMD Pacifica and Intel VT technologies are different.
"Raven Mill @techtak.com>" <ravenmill<nospam> wrote in message Hmmm... The line in there that I noticed was
..snip.. "the new Blue Pill concept uses AMD's SVM/Pacifica virtualization technology to create an ultra-thin hypervisor that takes complete control of the underlying operating system." ..snip..
Wonder if that means it only effects AMD systems...lol
-- Takali S. Omega Manager, Raven Mill Computers Owner, SynTaks E-Works Host of TechTAK on KFAR 660am ------------------------------------------------------------ ASUS P5N32SLI Deluxe Intel Presler Pentium D 950 2GB OCZ DDR2-800 2x eVGA 7600 SLI 2x WD 250 SATA2 -------------------------------------
"Mark D. VandenBerg" wrote in message | This, and other similar reports is suggesting a fundamental security breech | exists in Windows Vista x64. Is there any validity too this? | | Here's the link, but it's prevalent in searches as well: | | http://www.eweek.com/article2/0,1895,1983037,00.asp | | -- | Mark | | Keeping the fun in dysfunctional! |

Right...which seems almost humorous to me. Sorry if that sounds bad, but it will remove a thorn in my side from the debates with my LFWPT and the idea that Linux is totally secure and is absolutely immune to attack...same goes for Mac users.
It will be interesting to see if anyone makes use of it. I have a show to do in an hour and a half and will bring it up just as a matter of reference.
I don't mean to plug my show, but since the topic this week is Vista, I figgered maybe some of you might be interested. You can listen in on the stream at the website. http://www.techtak.com The site will be totally redesigned later this coming week, as I hate what it looks like now. It's not a "fancy" Kim Komando kind of show, but mostly just me and my wife bantering back and forth. It's a small show. We have fun doing it, but we really want to start getting serious about Vista on it, so we appreciate any feedback from folks. (Might even be nice to have some halfway knowledgable people call in...lol)
I sure hope Vista doesn't turn out to be a great OS and still be the bashing bag like the rest just because people hate MS so much. So far, to be honest, I like Vista x64. Of course it has some bugs...maybe even a lot of them...but that's why we get the honor of beta testing it.
One question I've been meaning to ask folks on the ng... How many of you are reporting your problems and/or solutions to the MS feedback system for the Beta? You DO realize, I hope, that that's what this beta release is for, right? To let them know of the problems you find?
-- Takali S. Omega Manager, Raven Mill Computers Owner, SynTaks E-Works Host of TechTAK on KFAR 660am ------------------------------------------------------------ ASUS P5N32SLI Deluxe Intel Presler Pentium D 950 2GB OCZ DDR2-800 2x eVGA 7600 SLI 2x WD 250 SATA2 -------------------------------------
"Mark D. VandenBerg" wrote in message | True enough, but the part that should concern people is that, if this | concept is true, this is not specific to Windows, but viable with Linux as | well. | | -- | Mark | | Keeping the fun in dysfunctional! | | "Colin Barnhorst" wrote in message | | > The AMD Pacifica and Intel VT technologies are different. | > | > "Raven Mill @techtak.com>" <ravenmill<nospam> wrote in message | > | >> Hmmm... The line in there that I noticed was | >> | >> ..snip.. "the new Blue Pill concept uses AMD's SVM/Pacifica | >> virtualization | >> technology to create an ultra-thin hypervisor that takes complete control | >> of | >> the underlying operating system." ..snip.. | >> | >> Wonder if that means it only effects AMD systems...lol | >> | >> | >> -- | >> Takali S. Omega | >> Manager, Raven Mill Computers | >> Owner, SynTaks E-Works | >> Host of TechTAK on KFAR 660am | >> ------------------------------------------------------------ | >> ASUS P5N32SLI Deluxe | >> Intel Presler Pentium D 950 | >> 2GB OCZ DDR2-800 | >> 2x eVGA 7600 SLI | >> 2x WD 250 SATA2 | >> ------------------------------------- | >> | >> | >> "Mark D. VandenBerg" wrote in message | >> | >> | This, and other similar reports is suggesting a fundamental security | >> breech | >> | exists in Windows Vista x64. Is there any validity too this? | >> | | >> | Here's the link, but it's prevalent in searches as well: | >> | | >> | http://www.eweek.com/article2/0,1895,1983037,00.asp | >> | | >> | -- | >> | Mark | >> | | >> | Keeping the fun in dysfunctional! | >> | | >> | >> | > | > |

I have cruised 20-25 different articles about this and there is no mention of the delivery process, other than "generically injected into the kernel." There will be a demonstration in Singapore on 18 July, and then another at Black Hat, so perhaps in a week or so I'll revisit this. -- Mark
Keeping the fun in dysfunctional!
"Colin Barnhorst" wrote in message

Depends on the delivery package.
"Mark D. VandenBerg" wrote in message True enough, but the part that should concern people is that, if this concept is true, this is not specific to Windows, but viable with Linux as well.
-- Mark
Keeping the fun in dysfunctional!
"Colin Barnhorst" wrote in message The AMD Pacifica and Intel VT technologies are different.
"Raven Mill @techtak.com>" <ravenmill<nospam> wrote in message Hmmm... The line in there that I noticed was
..snip.. "the new Blue Pill concept uses AMD's SVM/Pacifica virtualization technology to create an ultra-thin hypervisor that takes complete control of the underlying operating system." ..snip..
Wonder if that means it only effects AMD systems...lol
-- Takali S. Omega Manager, Raven Mill Computers Owner, SynTaks E-Works Host of TechTAK on KFAR 660am ------------------------------------------------------------ ASUS P5N32SLI Deluxe Intel Presler Pentium D 950 2GB OCZ DDR2-800 2x eVGA 7600 SLI 2x WD 250 SATA2 -------------------------------------
"Mark D. VandenBerg" wrote in message | This, and other similar reports is suggesting a fundamental security breech | exists in Windows Vista x64. Is there any validity too this? | | Here's the link, but it's prevalent in searches as well: | | http://www.eweek.com/article2/0,1895,1983037,00.asp | | -- | Mark | | Keeping the fun in dysfunctional! |

I agree completely.
The response to the rambling anecdotal postings should always be "Did you report this to MS at http://www.microsoft.com/windowsvista/sentiments/default.mspx?" The response to detailed, apparently unsolvable issues should always be "Did you file a bug with http://windowsbeta.microsoft.com/vista/bugs.aspx?&build=0&sku=0?"
Good luck with your great show! Do you record the shows for podcasting?
"Raven Mill @techtak.com>" <ravenmill<nospam> wrote in message

Right...which seems almost humorous to me. Sorry if that sounds bad, but it will remove a thorn in my side from the debates with my LFWPT and the idea that Linux is totally secure and is absolutely immune to attack...same goes for Mac users.
It will be interesting to see if anyone makes use of it. I have a show to do in an hour and a half and will bring it up just as a matter of reference.
I don't mean to plug my show, but since the topic this week is Vista, I figgered maybe some of you might be interested. You can listen in on the stream at the website. http://www.techtak.com The site will be totally redesigned later this coming week, as I hate what it looks like now. It's not a "fancy" Kim Komando kind of show, but mostly just me and my wife bantering back and forth. It's a small show. We have fun doing it, but we really want to start getting serious about Vista on it, so we appreciate any feedback from folks. (Might even be nice to have some halfway knowledgable people call in...lol)
I sure hope Vista doesn't turn out to be a great OS and still be the bashing bag like the rest just because people hate MS so much. So far, to be honest, I like Vista x64. Of course it has some bugs...maybe even a lot of them...but that's why we get the honor of beta testing it.
One question I've been meaning to ask folks on the ng... How many of you are reporting your problems and/or solutions to the MS feedback system for the Beta? You DO realize, I hope, that that's what this beta release is for, right? To let them know of the problems you find?
-- Takali S. Omega Manager, Raven Mill Computers Owner, SynTaks E-Works Host of TechTAK on KFAR 660am ------------------------------------------------------------ ASUS P5N32SLI Deluxe Intel Presler Pentium D 950 2GB OCZ DDR2-800 2x eVGA 7600 SLI 2x WD 250 SATA2 -------------------------------------
"Mark D. VandenBerg" wrote in message | True enough, but the part that should concern people is that, if this | concept is true, this is not specific to Windows, but viable with Linux as | well. | | -- | Mark | | Keeping the fun in dysfunctional! | | "Colin Barnhorst" wrote in message | | > The AMD Pacifica and Intel VT technologies are different. | | > "Raven Mill @techtak.com>" <ravenmill<nospam> wrote in message | > | >> Hmmm... The line in there that I noticed was | | >> ..snip.. "the new Blue Pill concept uses AMD's SVM/Pacifica | >> virtualization | >> technology to create an ultra-thin hypervisor that takes complete control | >> of | >> the underlying operating system." ..snip.. | | >> Wonder if that means it only effects AMD systems...lol | | | >> -- | >> Takali S. Omega | >> Manager, Raven Mill Computers | >> Owner, SynTaks E-Works | >> Host of TechTAK on KFAR 660am | >> ------------------------------------------------------------ | >> ASUS P5N32SLI Deluxe | >> Intel Presler Pentium D 950 | >> 2GB OCZ DDR2-800 | >> 2x eVGA 7600 SLI | >> 2x WD 250 SATA2 | >> ------------------------------------- | | | >> "Mark D. VandenBerg" wrote in message | >> | >> | This, and other similar reports is suggesting a fundamental security | >> breech | >> | exists in Windows Vista x64. Is there any validity too this? | >> | | >> | Here's the link, but it's prevalent in searches as well: | >> | | >> | http://www.eweek.com/article2/0,1895,1983037,00.asp | >> | | >> | -- | >> | Mark | >> | | >> | Keeping the fun in dysfunctional! | >> | | | | | |

By delivery I meant the target. Windows, Linux, OS/X.
"Mark D. VandenBerg" wrote in message

I have cruised 20-25 different articles about this and there is no mention of the delivery process, other than "generically injected into the kernel." There will be a demonstration in Singapore on 18 July, and then another at Black Hat, so perhaps in a week or so I'll revisit this. -- Mark
Keeping the fun in dysfunctional!
"Colin Barnhorst" wrote in message Depends on the delivery package.
"Mark D. VandenBerg" wrote in message True enough, but the part that should concern people is that, if this concept is true, this is not specific to Windows, but viable with Linux as well.
-- Mark
Keeping the fun in dysfunctional!
"Colin Barnhorst" wrote in message The AMD Pacifica and Intel VT technologies are different.
"Raven Mill @techtak.com>" <ravenmill<nospam> wrote in message Hmmm... The line in there that I noticed was
..snip.. "the new Blue Pill concept uses AMD's SVM/Pacifica virtualization technology to create an ultra-thin hypervisor that takes complete control of the underlying operating system." ..snip..
Wonder if that means it only effects AMD systems...lol
-- Takali S. Omega Manager, Raven Mill Computers Owner, SynTaks E-Works Host of TechTAK on KFAR 660am ------------------------------------------------------------ ASUS P5N32SLI Deluxe Intel Presler Pentium D 950 2GB OCZ DDR2-800 2x eVGA 7600 SLI 2x WD 250 SATA2 -------------------------------------
"Mark D. VandenBerg" wrote in message | This, and other similar reports is suggesting a fundamental security breech | exists in Windows Vista x64. Is there any validity too this? | | Here's the link, but it's prevalent in searches as well: | | http://www.eweek.com/article2/0,1895,1983037,00.asp | | -- | Mark | | Keeping the fun in dysfunctional! |

I only know of one blue pill, it's for erectile disfunction.
"Mark D. VandenBerg" wrote in message

This, and other similar reports is suggesting a fundamental security breech exists in Windows Vista x64. Is there any validity too this?
Here's the link, but it's prevalent in searches as well:
http://www.eweek.com/article2/0,1895,1983037,00.asp
-- Mark
Keeping the fun in dysfunctional!

Simple theory: if you can create something for good, evil is short to follow.
At first when I saw the article I thought the author was a zealous Intel only out to bash AMD. However reading the article only made me wonder if "all" virtual machines technology can be implemented in a devious way, not just AMD's. I do know that Intel's VT is different as well as other processors manufactures.
Also, we were discussing this at my shop well before the article ever broke and just kicking ideas around how VMT could help virus/malware scanners. Provided that the entire computer is separated by VMTs, the concept we came up with is to "freeze" a virtual machine, scan it completely from an outside source (ie another VMT). After which, the VMT is cleaned and resumed like nothing happened.
-Luke
Mark D. VandenBerg wrote:

This, and other similar reports is suggesting a fundamental security breech exists in Windows Vista x64. Is there any validity too this?
Here's the link, but it's prevalent in searches as well:
http://www.eweek.com/article2/0,1895,1983037,00.asp

This is a great second step. However, the question I have, is how would you detect this on a computer in the first place to know whether or not this has happened? -- Keeping the Fun in Dysfunctional...
"Luke Fitzwater" wrote:

Simple theory: if you can create something for good, evil is short to follow.
At first when I saw the article I thought the author was a zealous Intel only out to bash AMD. However reading the article only made me wonder if "all" virtual machines technology can be implemented in a devious way, not just AMD's. I do know that Intel's VT is different as well as other processors manufactures.
Also, we were discussing this at my shop well before the article ever broke and just kicking ideas around how VMT could help virus/malware scanners. Provided that the entire computer is separated by VMTs, the concept we came up with is to "freeze" a virtual machine, scan it completely from an outside source (ie another VMT). After which, the VMT is cleaned and resumed like nothing happened.
-Luke

Like I said it was just a theory we kicked around at the shop a while back. But if you want to try to implement it, I would first start with some type of VMT monitor, like I use under Linux.
If they can completely hide such VMT like the article suggested, then the VMT should be pulling some resources to be allocated by the computer. Which in that case the scanner should implement a complete system "freeze" with the exception of the VMT that is scanning the others. Each resource at this point can be traced back to the originating VMT and what program running on top of the VMT. Thus flushing out the "hidden" VMT and it's virus/malware also hidden inside.
We can only pray that virus/malware writers may not be smart enough to implement such a feat for their advantage.
-Luke
Mark D. VandenBerg wrote:

This is a great second step. However, the question I have, is how would you detect this on a computer in the first place to know whether or not this has happened?

The author proposes that the code emulates the proper scan results or uses no resources. She really is not revealing much, even in her own blog or on the company site.
The only theoretical prevention I have read is preemptively running a hypervisor since there can be only one.
I almost want to go to Black Hat and see this for myself.
-- Mark
Keeping the fun in dysfunctional!
"Luke Fitzwater" wrote in message

Like I said it was just a theory we kicked around at the shop a while back. But if you want to try to implement it, I would first start with some type of VMT monitor, like I use under Linux.
If they can completely hide such VMT like the article suggested, then the VMT should be pulling some resources to be allocated by the computer. Which in that case the scanner should implement a complete system "freeze" with the exception of the VMT that is scanning the others. Each resource at this point can be traced back to the originating VMT and what program running on top of the VMT. Thus flushing out the "hidden" VMT and it's virus/malware also hidden inside.
We can only pray that virus/malware writers may not be smart enough to implement such a feat for their advantage.
-Luke

Luke Fitzwater wrote On 7/9/2006 7:14 PM:

We can only pray that virus/malware writers may not be smart enough to implement such a feat for their advantage.
Once it gets packaged up real nice and easy and released to the script

kiddies, all is lost.
Computers will now need ignition switches and keys, like autos, to prevent virtual machine trojans.

I still can't see how it can run with out using any resources, it may use very little, but none at all would not be running at all.
If it does emulate a complete system inside a system, there should still be tell tail signs of another system around it. If it is that good of an emulation that it is fooling the interior system, counter measures should be in place by the time any real threats of said virus/malware have arrived.
Let us know how Black Hat goes, I'm RSS feeding from their site now, just couldn't jump a plane to be there.
-Luke
Mark D. VandenBerg wrote:

The author proposes that the code emulates the proper scan results or uses no resources. She really is not revealing much, even in her own blog or on the company site.
The only theoretical prevention I have read is preemptively running a hypervisor since there can be only one.
I almost want to go to Black Hat and see this for myself.

I was thinking of more along the lines of a personal bluetooth identification device or a smart card swipe. Both computer and device shake hands and share an encrypted file to authenticate user.
With out this "key" the computer will ignore all system level changes. When the "key" is present, the computer will check with the computer operator. Very similar to the way Vista does the "zero zone".
Security is always a preemptive task. The longer you wait, the bigger the mess you have to clean up.
-Luke
KWE wrote:

Luke Fitzwater wrote On 7/9/2006 7:14 PM:
We can only pray that virus/malware writers may not be smart enough to implement such a feat for their advantage.
Once it gets packaged up real nice and easy and released to the script kiddies, all is lost.
Computers will now need ignition switches and keys, like autos, to prevent virtual machine trojans.

Do you podcast these shows?

Actually, we will be. Our new time and format starts on August 12th, and I'm *TRYING* to get the podcasting set up for then. If nothing else, we'll at least have archive shows via mp3 or some such.
My only problem now is getting the new website design up and running, which I've been trying to do for the last 2 months and have been too busy. (I blame this on MS for releasing B2 during the time when I was supposed to be redesigning the site.)
-- Takali S. Omega Sr Host of TechTAK on KFAR 660am -------------------------------------------------------- No matter how fast light travels it finds the darkness has always got there first, and is waiting for it.
"Bernie" wrote in message | Do you podcast these shows?

Please add me to your mailing list at colinbarharst@msn.com. Yes, my name is misspelled, but the addy is right.
"Raven Mill @techtak.com>" <ravenmill<nospam> wrote in message

Actually, we will be. Our new time and format starts on August 12th, and I'm *TRYING* to get the podcasting set up for then. If nothing else, we'll at least have archive shows via mp3 or some such.
My only problem now is getting the new website design up and running, which I've been trying to do for the last 2 months and have been too busy. (I blame this on MS for releasing B2 during the time when I was supposed to be redesigning the site.)
-- Takali S. Omega Sr Host of TechTAK on KFAR 660am -------------------------------------------------------- No matter how fast light travels it finds the darkness has always got there first, and is waiting for it.
"Bernie" wrote in message | Do you podcast these shows?