of methods to determine when an attacker is at
work. “The development of EDR [software]
makes the black hat respond, and create kernel
URRWNLWV�DQG�¿UPZDUH�URRWNLWV��>VWRULQJ@�LW�LQ�
hardware where it can write to the master boot
record,” Knight says.
It’s also led to the creation of virtual rootkits,
which will boot before the operating system (OS),
creating a virtual machine (VM) for the malware
so that it can’t be detected by software running on
the OS. “That makes it almost impossible to
catch,” she said.
BLUE PILL MALWARE AND MORE
Fortunately, installing a virtual rootkit onto a
VHUYHU�LV�VWLOO�GL̇FXOW²WR�WKH�H[WHQW�WKDW�WKH�
attackers who are trying it are generally state-
sponsored. In addition, at least some of the
activities can be detected, and a few can be
VWRSSHG��.QLJKW�VD\V�WKDW�³¿OHOHVV�PDOZDUH ́�WKDW�
operates only in memory can be defeated by
IRUFLEO\�SRZHULQJ�R̆�WKH�FRPSXWHU�RQ�ZKLFK�
it’s running.
But Knight also said that such malware may be
accompanied by what’s called “Blue Pill
malware,” which is a form of virtual rootkit that
loads itself into a VM and then loads the OS into a
VM. This lets it fake a shutdown and restart while
letting the malware keep running. It’s why you
can’t just use the shutdown choice in Microsoft
Windows 10; only pulling the plug will work.
Fortunately, other types of hardware attacks can
sometimes be detected while they’re in progress.
Knight said that one company, SentinelOne, has
FUHDWHG�DQ�('5�SDFNDJH�WKDW¶V�PRUH�H̆HFWLYH�
@wrash
W
a
y
n
e
R
a
s
h
