Mikko Hyppönen had played right into the malware writers' hands. But what could he do? The chief research officer at F-Secure was one of many researchers who had worked hard to spot the weaknesses in the Mbroot trojan, one of the first pieces of malware to rekindle an old, but effective, stealth attack.
"The authors had released a limited distribution of Mbroot to small audiences, so the antivirus companies would see it," says Hyppönen. "And so we started to figure out how to detect it."
Mbroot was a tough nut to crack. The malware writers, working as far apart as Italy, Russia and the Ukraine, had developed code that would write its files to the MBR (master boot record) - the sector of the hard drive the computer looks at first when it tries to boot the operating system.
The program also writes its own backdoor trojan to another supposedly unreadable part of the hard drive. It patches the Windows loader so that as well as loading the kernel, it also loads another driver in an area of the disc that would otherwise not be used by any files. It then intercepts the system's attempts to look at the contents of the MBR and returns the original contents, which are stored elsewhere on the disc.
"It is very hard to detect things like that, because whatever executes first has the upper hand," says Hyppönen. F-Secure and others came up with various techniques. They checked the area of the disc where they knew Mbroot stored the copy of the original MBR that it overwrote. They compared the drivers being used in memory for both the hard drive and the CD-Rom drive. In Windows XP they are normally the same, but Mbroot patched the hard drive driver with its own modified code.
"We shipped standalone tools to detect the MBR rootkit, and we played into their hands," he recalls. "That is what they expected us to do." As soon as the malware writers worked out what the researchers were doing, they re-engineered the code to avoid the fixes. The security suppliers knew this would happen, but they still had to analyse the malware and develop countermeasures - that is what they do.
Sign of the times
Malware developers have not always been this smart. Such product testing with the security research community constitutes a level of quality assurance you would not normally see in the malware world, but things have changed in recent years. Malware writers used to enjoy making their presence known when joke payloads were all the rage. Teens writing viruses in their bedrooms revelled at the prospect of teasing their targets. Viruses did anything from ejecting CD trays at random moments, through to formatting hard drives out of pure spite. But after 2004, when malware writers started producing code for profit rather than for fun, it became imperative to conceal their code for long periods.
That generation became adept at writing viruses that would evade detection. But when Windows was introduced, it took a while for them to get their heads round the new system. "Windows viruses appeared in 1995, and it took them two or three years to evolve to the point where stealth technology was introduced," says Graham Cluley, senior technology consultant at Sophos.
These days, with most modern malware trying to hide itself and generate profit for its perpetrators for as long as possible, stealth technology is the rule, rather than the exception. The most effective form of stealth attack is the rootkit, which conceals its presence by cloaking key files and processes so the operating system cannot see them.
"Once the rootkit is in there, it is sometimes months before anti-virus software catches up with it," says Don Jackson, director of threat intelligence at managed security service provider SecureWorks.
There are several kinds of rootkit, ranging from the firmware rootkit up to library or user-level versions. "They started as user mode because they are easier to implement," says Cluley. "User-mode rootkits rely on intercepting and patching Windows libraries."
Anti-virus software finds it relatively easy to detect user-mode rootkits because they run at a lower level of the operating system stack, in the kernel space. This is why the kernel became such a bone of contention when Microsoft released its Patchguard technology, which restricted programmes from patching the kernel. This potentially stopped rootkits from accessing the kernel, but also threatened anti-virus products.
The MBR attack is an old trick, originating with viruses such as Stoned in the 1980s. It may be an old one, but it still works. Hyppönen says F-Secure can detect Mbroot, but cannot cleanse a disc infected by the program. Other old techniques that are being rekindled by malware writers include polymorphism, which changes the binary footprint of viruses to try to thwart signature detection algorithms and parasitic malware, which attaches itself to other programmes in a bid to hide itself.
Cat and mouse
But in the cat-and-mouse game between attackers and researchers, malware does not rely purely on old techniques to hide its presence. Anyone who loads their data first has the upper hand, which means stealth attacks are a race to the bottom of the operating system's stack, as code tries to load itself as early as possible in the operating system's boot process.
This quest for prior execution has made virtualisation a hot button for malware writers and their adversaries. In a virtualised system, a small software layer called a hypervisor sits beneath the operating system, running directly on the central processing unit (CPU). Legitimate users would run several operating systems simultaneously on top of a single hypervisor, switching between them at will. In a virtualised rootkit attack, a malicious hypervisor would insert itself beneath the operating system and reload it as a virtual machine. The operating system would then be under the control of the malware, which would be able to intercept and manipulate anything the guest system tried to do.
Joanna Rutkowska's Blue Pill proof-of-concept source code - originally released in 2006 and updated in 2007 - was supposed to be able to do this without being detected. But various experts have disputed this, including engineers at AMD, which provides processor-level virtualisation support.
Cloak and dagger
While experts debate how low in the stack rootkits can go, there are even more methods attackers can use to hide themselves. More and more malware writers now hide their files in streams - essentially files within files, that can be used to hold information useful to the operating system. An .exe file's stream might contain information detailing whether it was downloaded from the internet, for example. These hidden files are perfect places for malware to hide. "When these arrived, most scanning engines had no idea they existed," says Hyppönen.
Other malware will try to minimise its footprint on the system, or will not write any files to the machine's hard drive at all. Downloader-enabled malicious code is becoming increasingly popular among malware suppliers. A small downloader will be installed on a computer and will assess the system's protection mechanisms before downloading the main payload.
"The best way not to be discovered is simply not to persist on the machine," says SecureWorks' Jackson. He has discovered rootkits in Apache systems that existed entirely in memory. "You could reboot the server and the attacker would scan the machine and do the same exploit again."
What if stealth attacks fail and malware gets detected? Is the game over for the malware authors? Not at all, says Jackson - their software can still do significant damage as it tries to cover its tracks. Some malware will check for a "heartbeat", pinging a command and control server at regular intervals. If this is not found - a signal, perhaps, that an administrator has reconfigured a firewall - the program might then use http traffic to check a certain web page for a key phrase. If the key phrase is not found, it interprets it as a signal to "go nuclear". Jackson explains: "If it misses the heartbeat, it will format your hard drive." Variations on the theme include making the malware execute a ransomware payload, encrypting crucial files on the hard drive, and demanding payment via a Western Union bank transfer in return for the decryption key. Using such methods, code finding itself unable to execute its payload can at least render its algorithms unanalysable, or extort a final couple of hundred dollars from the victim.
So, as rootkits install themselves via the MBR and become increasingly difficult to find, are we nearing the final frontier? At some point, surely, a malware writer will install software at a low enough level that it will become entirely undetectable. We are not at that stage yet, says Hyppönen. Attackers could install rootkits in the bios, for example. "They are flashable, after all," he says. "It would need serious research effort from the bad boys, but the bad news is that they can afford to invest in their attacks."
Malware writers have already progressed from rudimentary coding techniques to a level of expertise that rivals that of some commercial software houses. To gauge the level of resource the authors of Mbroot had invested in the system, Hyppönen asked his company's programming team how much time they would need to write something similar.
"They did some math, and they said 'four months for 10 guys'," he recalls. Stealth attacks may be covert, but there is one thing the perpetrators cannot hide, and that is the expertise and the funding they must have at their disposal.
Originally published in Infosecurity magazine
This was first published in July 2008