Definition

blue pill rootkit

The blue pill rootkit is malware that executes as a hypervisor to gain control of computer resources. The hypervisor installs without requiring a restart and the computer functions normally, without degradation of speed or services, which makes detection difficult.

The original blue pill implementation was based on AMD virtualization (AMD-V), a set of hardware extensions for the X86 processor architecture. The processor extensions offload repetitive and inefficient work from software, which improves virtual machine (VM) performance on the physical server. However, because AMD-V is designed to operate seamlessly, the hypervisor is invisible to the operating system and has full privileges to make any change desired. The malware can intercept any internal communication between the operating system and system hardware and software and send a false response. The blue pill code was subsequently adapted for the Intel VT-x (virtualization technology) environment.

Joanna Rutkowska, a security researcher for Singapore-based IT security firm COSEINC, developed the Blue Pill rootkit as proof-of-concept malware, which she demonstrated at the 2006 Black Hat Briefings conference. Rutkowska also developed Redpill, a series of techniques used to detect a blue pill hypervisor.

The name blue pill is a reference to the science fiction movie The Matrix. Neo, the main character, is offered a choice between a blue pill, which will allow him to live obliviously in the virtual reality environment of The Matrix, and a red pill that will allow him to understand his situation and ultimately escape from The Matrix. Morpheus (Neo’s guide) explains: "This is your last chance. After this, there is no turning back. You take the blue pill -- the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill -- you stay in Wonderland and I show you how deep the rabbit-hole goes."

Blue pill and red pill have become symbolic in pop culture for willful ignorance versus seeking the truth, however difficult that truth might be.

See also: hardware virtualization, BIOS rootkit attackvirtual machine escape, hypervisor security, virtualization

This was last updated in March 2011
Posted by: Margaret Rouse

Email Alerts

Register now to receive SearchCloudSecurity.com-related news, tips and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

More News and Tutorials

Do you have something to add to this definition? Let us know.

Send your comments to techterms@whatis.com

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: