Take the Blue Pill, please, HAL

[Pangloss]

One of the more intriguing black hat ideas floating around the Internet these days is the idea of exploiting operating systems running on dual-core processors in such a way as to fool the user into thinking they're running a normal Windows session, when in fact they're actually only running in a simulated setting known as a "virtual machine". A "real" operating system would be running in the background, completely hidden from the user, providing resources to the "fake" operating system, and also monitoring everything the user does. (Hence the "blue pill" label, derived from The Matrix.) Along the way, of course, it would make note of all your usernames and passwords, credit card information, and anything else of importance to the hacker.

 

Part of the fear at work here is generated by the improvements in what hardware nerds euphemistically call "virtualization". The latest round of dual-core processors (such as those being released by Intel this month and next) have greatly improved technology for dealing with multiple sessions of operating systems. In the past if you were running in a simulated setting it was fairly easy to tell that you were doing so because, for example, the system would feel a big sluggish at times, such as when you open the Start menu. That sluggishness may soon be a thing of the past. There are other ways to tell if you are in that environment, but they may not be readily apparent to the average user.

 

Of course, actually getting the machine into that kind of configuration is not as simple as most exploits. For one thing, the user is already in a regular, non-virtual setting when they connect to the Internet. In order for something like this to work, the computer would obviously have to be restarted, and booted off the protected, invisible operating system. It would also have to present a completely familiar and consistent environment to the user after doing so.

 

And even then, many analysts believe that it will still be possible to detect the virtual environment. And if that's the case, routines could be built into anti-spyware and/or anti-virus programs that could detect this. But there remains a problem here in that if the user is the actual owner of the system, then they are authorized to do things like run virtual sessions within a normal operating system. That being the case, you don't want to be constantly interrupted by your spyware program -- it defeats the very purpose of having this ability.

 

A lot remains to be seen here, but it's one of the more interesting debates/discussions in the hacker community at the moment. An interesting example of the discussion can be found in this article at Slashdot.

[radiohead]

Personally, I think that it is a little out of reach right now to do those types of things. They would still experience lag with the "fake" OS and hopefully would realise that something was wrong.

[Ndi]

Suggested approach is *extremely* complex and takes a lot of code to make it work properly. While this could fool a regular user, it's unlikely it will ever be able to pose a real threat. It's just that there are WAY easier ways to get a hold of a password. Such as a rootkit. There are rootkits out there that are rated "undetectable". So why bother sandboxing an entire OS?