Difficult for PC viruses to stay invisible indefinitely

Summary:Security watchers say that while malware such as Rakshasa are stealthier and can stay well hidden embedded in hardware chips, it is often difficult to implement and will eventually be detected.

It is unlikely that computer viruses can stay completely undetectable indefinitely as such attacks are already known to the security industry and efforts are ongoing to detect and eradicate even deeply embedded hardware-based backdoor malware. In time, the virus will also be eradicated thus debunking the notion of an invulnerable virus, say observers.

The idea for such a virus came in August when Jonathan Brossard, CEO and security research engineer at Toucan System, demonstrated the "Rakshasa" virus which is a deeply embedded backdoor installed on the BIOS chip on a PC's motherboard or other hardware components such as network cards.

According to him, since the virus resides within motherboard chips, it remains undetectable from antivirus software and resilient to the common processes by IT staff looking to clean up a badly-infected PC.

To demonstrate this, Brossard said he tested Rakshasa using 43 different antivirus programs and none of them flagged the malware as dangerous. "Even if you change your hard drive or change your operating system (OS), you're still very much going to be [affected by the virus]," he said in a report by MIT's Technology Review.

When contacted to elaborate more on how the virus works, Brossard pointed ZDNet Asia to his research paper instead.

Not so stealthy, scalable
Very specific conditions will have to be met for the Rakshasa malware to be able to be installed into a person's PC and remain hidden indefinitely though, noted David Harley, senior research fellow at ESET. He said the cybercriminal will need access to the PC's supply chain at some point in order to install the malware and gain control of the device. Alternatively, it could be installed by a previous malware already existing in the PC, Harley explained.

"Essentially, this is a proof of concept and not a universal property of malware," Harley said. "Even if viruses such as Rakshasa work in principle, it will not go that far."

Hardware preloaded with backdoors are not new to the security industry too, and industry professionals have been working on countering such firmware-based threats for many years, the ESET executive added.

To minimize the risk of hardware-related vulnerabilities, Harley advised companies to not buy hardware from sources they do not trust.

Ondrej Vlcek, CTO at Avast, also pointed out the effort to install Rakshasa is oftentimes difficult to scale and ultimately not worth the effort for many cybercriminals. Compared to traditional software-based attacks, implementing Rakshasa is relatively difficult and not scalable, he said.

"It is true that certain exploits may not be detectable using conventional tools. But the effort to implement such exploits is high, and in pretty much all cases, absolutely not worth it," Vlcek said.

He added for larger companies with bigger, more sophisticated security systems, there are ways to detect these backdoor malware which are stealthier than conventional malware anyway. These security tools will cost more than regular tools such as antivirus though, he noted.

Alexandru Catalin Cosoi, chief security research of BitDefender, added a patch would always been found for every known vulnerability so it's a matter of time before a patch for Rakshasa will be developed and released for the masses.

Topics: Malware, Hardware, Security

About

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.