Mikko Hyppönen had played right into the malware writers'
hands. But what could he do? The chief research officer at
F-Secure was one of many researchers who had worked hard to
spot the weaknesses in the
Mbroot trojan, one of the first pieces of malware to rekindle
an old, but effective, stealth attack.
"The authors had released a limited distribution of Mbroot to
small audiences, so the antivirus companies would see it," says
Hyppönen. "And so we started to figure out how to detect it."
Mbroot was a tough nut to crack. The malware writers, working as
far apart as Italy, Russia and the Ukraine, had developed code that
would write its files to the MBR (master boot record) - the sector
of the hard drive the computer looks at first when it tries to boot
the operating system.
The program also writes its own backdoor trojan to another
supposedly unreadable part of the hard drive. It patches the
Windows loader so that as well as loading the kernel, it also loads
another driver in an area of the disc that would otherwise not be
used by any files. It then intercepts the system's attempts to look
at the contents of the MBR and returns the original contents, which
are stored elsewhere on the disc.
"It is very hard to detect things like that, because whatever
executes first has the upper hand," says Hyppönen. F-Secure and
others came up with various techniques. They checked the area of
the disc where they knew Mbroot stored the copy of the original MBR
that it overwrote. They compared the drivers being used in memory
for both the hard drive and the CD-Rom drive. In
Windows XP they are normally the same, but Mbroot patched the
hard drive driver with its own modified code.
"We shipped standalone tools to detect the MBR rootkit, and we
played into their hands," he recalls. "That is what they expected
us to do." As soon as the malware writers worked out what the
researchers were doing, they re-engineered the code to avoid the
fixes. The security suppliers knew this would happen, but they
still had to analyse the malware and develop countermeasures - that
is what they do.
Sign of the times
Malware developers have not always been this smart. Such
product testing with the security research community constitutes a
level of quality assurance you would not normally see in the
malware world, but things have changed in recent years. Malware
writers used to enjoy making their presence known when joke
payloads were all the rage. Teens writing viruses in their bedrooms
revelled at the prospect of teasing their targets. Viruses did
anything from ejecting CD trays at random moments, through to
formatting hard drives out of pure spite. But after 2004, when
malware writers started producing code for profit rather than for
fun, it became imperative to conceal their code for long
periods.
That generation became adept at writing viruses that would evade
detection. But when Windows was introduced, it took a while for
them to get their heads round the new system. "Windows viruses
appeared in 1995, and it took them two or three years to evolve to
the point where stealth technology was introduced," says Graham
Cluley, senior technology consultant at
Sophos.
These days, with most modern malware trying to hide itself and
generate profit for its perpetrators for as long as possible,
stealth technology is the rule, rather than the exception. The most
effective form of stealth attack is the rootkit, which conceals its
presence by cloaking key files and processes so the operating
system cannot see them.
"Once the rootkit is in there, it is sometimes months before
anti-virus software catches up with it," says Don Jackson, director
of threat intelligence at managed security service provider
SecureWorks.
There are several kinds of rootkit, ranging from the firmware
rootkit up to library or user-level versions. "They started as user
mode because they are easier to implement," says Cluley. "User-mode
rootkits rely on intercepting and patching Windows libraries."
Anti-virus software finds it relatively easy to detect user-mode
rootkits because they run at a lower level of the operating system
stack, in the kernel space. This is why the kernel became such a
bone of contention when Microsoft released its Patchguard
technology, which restricted programmes from patching the kernel.
This potentially stopped rootkits from accessing the kernel, but
also threatened anti-virus products.
The MBR attack is an old trick, originating with viruses such as
Stoned
in the 1980s. It may be an old one, but it still works. Hyppönen
says F-Secure can detect Mbroot, but cannot cleanse a disc infected
by the program. Other old techniques that are being rekindled by
malware writers include polymorphism, which changes the binary
footprint of viruses to try to thwart signature detection
algorithms and parasitic malware, which attaches itself to other
programmes in a bid to hide itself.
Cat and mouse
But in the cat-and-mouse game between attackers and researchers,
malware does not rely purely on old techniques to hide its
presence. Anyone who loads their data first has the upper hand,
which means stealth attacks are a race to the bottom of the
operating system's stack, as code tries to load itself as early as
possible in the operating system's boot process.
This quest for prior execution has made
virtualisation a hot button for malware writers and their
adversaries. In a virtualised system, a small software layer called
a hypervisor sits beneath the operating system, running directly on
the central processing unit (CPU). Legitimate users would run
several operating systems simultaneously on top of a single
hypervisor, switching between them at will. In a virtualised
rootkit attack, a malicious hypervisor would insert itself beneath
the operating system and reload it as a virtual machine. The
operating system would then be under the control of the malware,
which would be able to intercept and manipulate anything the guest
system tried to do.
Joanna Rutkowska's Blue Pill proof-of-concept source code -
originally released in 2006 and updated in 2007 - was supposed to
be able to do this without being detected. But various experts have
disputed this, including engineers at AMD, which provides
processor-level virtualisation support.
Cloak and dagger
While experts debate how low in the stack rootkits can go, there
are even more methods attackers can use to hide themselves. More
and more malware writers now hide their files in streams -
essentially files within files, that can be used to hold
information useful to the operating system. An .exe file's stream
might contain information detailing whether it was downloaded from
the internet, for example. These hidden files are perfect places
for malware to hide. "When these arrived, most scanning engines had
no idea they existed," says Hyppönen.
Other malware tries to reduce its visibility by randomising its
attacks to make them less consistent. Cluley recalls a rootkit on
the Apache web server that would include some obfuscated JavaScript
on every tenth page served. The script would try to install malware
in the background. Because the script did not show up all the time,
and because it was randomised to be different every time, it was
very hard to detect, he says.
Other malware will try to minimise its footprint on the system,
or will not write any files to the machine's hard drive at all.
Downloader-enabled malicious code is becoming increasingly popular
among malware suppliers. A small downloader will be installed on a
computer and will assess the system's protection mechanisms before
downloading the main payload.
"The best way not to be discovered is simply not to persist on
the machine," says SecureWorks' Jackson. He has discovered rootkits
in Apache systems that existed entirely in memory. "You could
reboot the server and the attacker would scan the machine and do
the same exploit again."
What if stealth attacks fail and malware gets detected? Is the
game over for the malware authors? Not at all, says Jackson - their
software can still do significant damage as it tries to cover its
tracks. Some malware will check for a "heartbeat", pinging a
command and control server at regular intervals. If this is not
found - a signal, perhaps, that an administrator has reconfigured a
firewall - the program might then use http traffic to check a
certain web page for a key phrase. If the key phrase is not found,
it interprets it as a signal to "go nuclear". Jackson explains: "If
it misses the heartbeat, it will format your hard drive."
Variations on the theme include making the malware execute a
ransomware payload, encrypting crucial files on the hard drive, and
demanding payment via a Western Union bank transfer in return for
the decryption key. Using such methods, code finding itself unable
to execute its payload can at least render its algorithms
unanalysable, or extort a final couple of hundred dollars from the
victim.
So, as rootkits install themselves via the MBR and become
increasingly difficult to find, are we nearing the final frontier?
At some point, surely, a malware writer will install software at a
low enough level that it will become entirely undetectable. We are
not at that stage yet, says Hyppönen. Attackers could install
rootkits in the bios, for example. "They are flashable, after all,"
he says. "It would need serious research effort from the bad boys,
but the bad news is that they can afford to invest in their
attacks."
Malware writers have already progressed from rudimentary coding
techniques to a level of expertise that rivals that of some
commercial software houses. To gauge the level of resource the
authors of Mbroot had invested in the system, Hyppönen asked his
company's programming team how much time they would need to write
something similar.
"They did some math, and they said 'four months for 10 guys',"
he recalls. Stealth attacks may be covert, but there is one thing
the perpetrators cannot hide, and that is the expertise and the
funding they must have at their disposal.
Originally published in Infosecurity magazine