LAS VEGAS — Once again security researcher Joanna Rutkowska took the stage at
Black Hat, and once again she set out to prove in glorious detail how to
exploit and attack Microsoft Windows Vista.
Rutkowska blew the lid off last year’s Black Hat event with her landmark presentation ahead of the official Vista release where she demonstrated
a virtualized rootkit called Blue Pill that took control over a Vista
This year she brought a new pill and a few more
tricks to take Vista to task.
“I’m going to talk about Vista kernel protection and why it doesn’t work,”
Rutkowska boldly declared to the overflow crowd.
She then read a quote from Microsoft’s Vista documentation that stated that
even users with admin privileges cannot load unsigned kernel-mode code on the system. Then she smiled mischievously.
“There are thousands, maybe tens of thousands of third-party drivers that are
poorly written and could be a problem,” Rutkowska said.
She then displayed two examples, both from video drivers companies, to prove
her point. In her view both the ATI Catalyst driver and the NVIDIA nTune
Driver are bad in that they could be used as an attack vector to
circumvent Vista kernel protection.
With the NVIDIA driver, Rutkowska alleged that the driver was able to read
and write registers without any additional checks.
“The whole problem in NVIDIA is that the driver doesn’t do the proper checks
and can do a write for an arbitrary registry.”
To add further insult to injury, the target machine doesn’t even need to have
the bad driver on the system in order for the attacker to use it as an
“The attacker could just include it as part of their own rootkit and then
use it to exploit Vista,” Rutkowska said. “It doesn’t matter whether it’s a
popular driver or not. We can bring it to the target system and exploit it.”
If having a bad third-party driver wasn’t bad enough, Rutkowska explained that
an attacker could make their own buggy driver to use for an attack.
According to her, Microsoft doesn’t require developers to submit their
drivers to Microsoft for signing.
To prove her point, Rutkowska said she went to Microsoft partner site
globalsign to get a driver certificate that cost $250.
“We can now sign whatever we want,” Rutkowska declared. “No one can prove
that I intentionally built a bug.”
She said that she could just put the driver on her site and then anyone
could use it to bundle with a rootkit and then exploit Vista. “But I don’t have to do this cause we have dozens of public drivers to
Then there is Blue Pill, the virtualized rootkit Rutkowska first unleashed
to the world at last year’s Black Hat. That pill apparently has lost some of
its efficacy and, as such, Rutkowska designed a new Blue Pill from scratch in
The new Blue Pill uses a para-virtualized layer and provides a thin
hypervisor to control the operating system. Though some other research has
argued that there are ways to detect and stop Blue Pill, Rutkowska disagreed
and explained why in a great degree of technical detail.
“Disabling virtualization is like saying, ‘Disable your network card to
defend against network attacks,'” Rutkowska smirked.
The new Blue Pill also supports nested virtual malware machine so one or more
could run inside of another making it even more difficult to stop and or
The cause for all that Rutkowska found to be exploitable with Vista
isn’t because of her pill, or so she alleged.
“Blue Pill is not a bug; it’s a design problem.”