dont take the "blue pill"

lab :: new rootkit exploit

the blue pill

so i bet you haven’t heard about "the blue pill" exploit yet... so here's the basics. circa 2005, amd and intel started adding virtual machine functionality to the instruction set of the processors. the idea was having a virtual machine running natively on the processor, not an emulated one, which would cause an increase in speed. the virtual processor then switches to what's called “ring1 mode” which is like a basic user with limited privileges. In this mode, it can't touch any of the memory of the standard os, which is running in “ring0 mode”. this switch only happens when weird instructions go in that need to take advantage of the full cpu.

the blue pill code exploits this by loading a virtual machine that “hyperjacks” the hypervisor (the visor is the mechanism that controls the os switching). it then switches operating systems so that blue pill is moved into ring0 and your os (e.g. vista) moves into ring1. now you have an infected computer that can't even access the virus that's infecting it, and the whole thing is completely undetectable. this is a serious rootkit...

read more here and here