31/07/2012

'Rakshasa': The Malware Infection Designed To Be Undetectable And Incurable

A sculpture of a Rakshasa, the Hindu demon from which Jonathan Brossard's malware experiment takes its name.

Malicious software, like all software, gets smarter all the time. In recent years it’s learned to destroy physical infrastructure, install itself through Microsoft updates, and use human beings as physical “data mules,” for instance. But researcher Jonathan Brossard has innovated a uniquely nasty coding trick: A strain of malware that’s nearly impossible to disinfect. At the Black Hat security conference in Las Vegas Thursday, Brossard plans to present a paper (PDF here) on “Rakshasa,” a piece of proof-of-concept malware that aims to be a “permanent backdoor” in a PC, one that’s very difficult to detect, and even harder to remove. Like some other tenacious malware strains, Rakshasa infects the computer’s BIOS, the part of a computer’s memory that boots its operating system and initializes other system components. But it also takes advantage of a potentially vulnerable aspect of traditional computer architecture: Any peripheral like a network card, CD-ROM, or sound card can write to the computer’s RAM or to the small portions of memory allocated to any of the other peripherals. So Brossard has given Rakshasa, whose name comes from that of a mythological Indian demon, the ability to infect all of them. And if the BIOS or network card is disinfected, for instance, it can be reinfected from any one of the other compromised components.

In order to disinfect the computer, “you would need to flash all the devices simultaneously,” says Brossard, founder of the French security consultancy Toucan System. “It would be very difficult to do. The cost of recovery is probably higher than the cost of the laptop. It’s probably best to just get rid of the computer.” Rakshasa, which Brossard first suggested in a less-developed form at a Paris conference last spring, is built with open source, innocuous BIOS-modifying software like Core Boot and Sea BIOS. Brossard says that makes it compatible with more machines’ hardware than proprietary software would and also means that antivirus isn’t likely to detect it. It’s programmed to download all malicious code that it uses after the machine boots up–and after antivirus is disabled–in the form of a fake PDF file over an SSL-encrypted Wifi connection, and then store that code in memory rather than on the hard drive to avoid ever leaving a trace that might be caught by forensic analysis. Just how Rakshasa would infect a computer in the first place isn’t exactly Brossard’s focus. He posits that a Chinese manufacturer might install it before it ever reaches a customer’s hands, a real problem given the complex supply chains in most computers’ past. “The whole point of this research is to undetectably and untraceably backdoor the hardware,” he says. “What this shows is that it’s basically not practical to secure a PC at all, due to legacy architecture. Because computers go through so many hands before they’re delivered to you, there’s a serious concern that anyone could backdoor the computer without your knowledge.”

A spokesperson for Intel, the company as close as any to being responsible for the architecture of modern PC hardware, says it’s reviewed Brossard’s paper, and dismisses it as “largely theoretical,” writing that “there is no new vulnerability that would allow the landing of the bootkit on the system.” The company’s statement argues that it wouldn’t be possible to infect the most recent Intel-based machines that require any changes to BIOS to be signed with a cryptographic code. And it points out that Brossard’s paper “assumes the attacker has either physical access to the system with a flash programmer or administrative rights to the system to deliver the malware. In other words, the system is already compromised with root/administrative level access. If this level of access was previously obtained, a malicious attacker would already have complete control over the system even before the delivery of this bootkit.” But Brossard argues that today only a small percentage of computers require code-signing in their BIOS. He admits that the attacker would need control of the computer before installing Rakshasa–not much comfort given his concern about manufacturers installing a piece of ultra-stealthy malware. And Intel’s claim that there is “no new vulnerability” exploited by Brossard’s work? He agrees. “It’s not a new vulnerability,” he says. “It’s a problem with the architecture that’s existed for 30 years. And that’s much worse.”

Check out Brossard’s paper, which contains many other nasty malware tricks

http://www.forbes.com/sites/andygreenberg/2012/07/26/meet-rakshasa-the-malware-infection-designed-to-be-undetectable-and-incurable/

No comments :

Post a Comment