Blue Pill Rootkit – Undetectable Online Threat


Blue Pill is at present a theoretical, conceptual rootkit (Trojan) that is claimed to be undetectable. The practical existence of this invader outside of laboratory/test conditions is in question, though security implementation is considering it as a possible and deadly threat, so it is wise to be aware of it.

What is Blue Pill?

It is a hypervisor system hijacker that works on a whole different, virtual level. To understand this, it’s necessary to have a basic overview of hypervisors, or virtual operating systems. This technology was first enabled by AMD in 2006 in the form of their SVM/Pacifica processor. Many modern processors in physical (or native) hardware now have virtualization technology. This is an advancement primarily for commercial network systems that allow ‘mirrors’ of the physical operating system to be created. This is like having many more computers and their capabilities and computing power added to a system. As virtual machines (VM’s) use an infinitesimal fraction of the processing power (and mains power), this is a great advancement for companies. It is linked and works with the cloud data storage technology and highly efficient for large networks. Though picture this: if a mirror image of your operating system was created by a hacker and able to operate independently and undetectable as you worked… this is what Blue Pill rootkit was conceived to do.

The idea was first conceived by I.E.E.E technologists in Oakland, California in 2006 as conceptual (and described as a VMBR – Virtual Machine-Based Rootkit), and then researched by several firms and researchers, notably Joanna Rutowska who named it after a device in the film ‘The Matrix’. She was looking at the vulnerabilities in the virtual operating technology and came to the conclusion that such a rootkit would be undetectable to the (then) current security systems. This is because unlike existing malware, it would not need to interfere with the host system’s kernel (heart of the computer), so it could evade all conventional detection (outside of a laboratory) – literally operating above the native hardware. More than this, the virtual operating system created promotes itself to the highest level – system manager – so all command and control must pass through this hidden system (and acquire approval from it) before the physical system can execute anything. If this can be managed seamlessly, then both the ‘earthly’ system and its user would be oblivious to the control above them. Scary, huh?

Prognosis for a Blue Pill Invasion

Most security experts are fairly confident that virtual rootkits are not an imminent threat. This is because conventional user-mode and kernel-level are adequate for hackers needs. A virtual take-over would require great skill and be more time consuming for the hacker. It is noted by national security services that even confirmed state-sponsored attempts to hack security systems have been implemented using conventional, existing types of rootkits, so it is unlikely that home systems will be under threat from the Blue Pill in the near future – such advanced methods are more likely to be reserved for large scale corporate attacks first.

Conclusion and Protection

What makes Blue Pill potentially invisible – it’s strength – is also its weakness. This and other virtual machine intrusions need to access the system management to inject a shellcode for the rogue hypervisor to gain access. This is a backdoor like conventional intrusion methods, so preventing access is the the best defence. The latest published reports suggest that Blue Pill is not start-up resistant so that it would have to be re-introduced to the target system after each boot up – this gives another chance to catch it on re-entry. There is an similar experimental rootkit that was being tested by researchers called SubVirt that was trying to overcome the problem of restart resistance though in order to do this it needs to make alterations in the hard drive leaving the rootkit vulnerable to offline detection.

As software developers are anticipating the possibility of virtual rootkit attacks in the future, they are constantly working on preventative measures. In some versions of the legends about vampires, it is only possible for the evil one to enter your domain by invitation. Get the best software you can (with constant and reliable updates), build your walls high and keep your portals guarded. Make sure that the only things above you are clouds and blue sky – not a Blue Pill!

Daniel Stoyanov
Daniel Stoyanov has a Master's degree in Computer Science from the Technical University of Sofia, Bulgaria. He is also a Microsoft Certified Professional. Daniel provides top cyber security news with in-depth coverage of malware, vulnerabilities, PC and Network security, online safety.If you have any questions feel free to ask him right now.



Time limit is exhausted. Please reload CAPTCHA.