Difficult for PC viruses to stay invisible indefinitely

Difficult for PC viruses to stay invisible indefinitely

Summary: Security watchers say that while malware such as Rakshasa are stealthier and can stay well hidden embedded in hardware chips, it is often difficult to implement and will eventually be detected.

SHARE:
2

It is unlikely that computer viruses can stay completely undetectable indefinitely as such attacks are already known to the security industry and efforts are ongoing to detect and eradicate even deeply embedded hardware-based backdoor malware. In time, the virus will also be eradicated thus debunking the notion of an invulnerable virus, say observers.

The idea for such a virus came in August when Jonathan Brossard, CEO and security research engineer at Toucan System, demonstrated the "Rakshasa" virus which is a deeply embedded backdoor installed on the BIOS chip on a PC's motherboard or other hardware components such as network cards.

According to him, since the virus resides within motherboard chips, it remains undetectable from antivirus software and resilient to the common processes by IT staff looking to clean up a badly-infected PC.

To demonstrate this, Brossard said he tested Rakshasa using 43 different antivirus programs and none of them flagged the malware as dangerous. "Even if you change your hard drive or change your operating system (OS), you're still very much going to be [affected by the virus]," he said in a report by MIT's Technology Review.

When contacted to elaborate more on how the virus works, Brossard pointed ZDNet Asia to his research paper instead.

Not so stealthy, scalable
Very specific conditions will have to be met for the Rakshasa malware to be able to be installed into a person's PC and remain hidden indefinitely though, noted David Harley, senior research fellow at ESET. He said the cybercriminal will need access to the PC's supply chain at some point in order to install the malware and gain control of the device. Alternatively, it could be installed by a previous malware already existing in the PC, Harley explained.

"Essentially, this is a proof of concept and not a universal property of malware," Harley said. "Even if viruses such as Rakshasa work in principle, it will not go that far."

Hardware preloaded with backdoors are not new to the security industry too, and industry professionals have been working on countering such firmware-based threats for many years, the ESET executive added.

To minimize the risk of hardware-related vulnerabilities, Harley advised companies to not buy hardware from sources they do not trust.

Ondrej Vlcek, CTO at Avast, also pointed out the effort to install Rakshasa is oftentimes difficult to scale and ultimately not worth the effort for many cybercriminals. Compared to traditional software-based attacks, implementing Rakshasa is relatively difficult and not scalable, he said.

"It is true that certain exploits may not be detectable using conventional tools. But the effort to implement such exploits is high, and in pretty much all cases, absolutely not worth it," Vlcek said.

He added for larger companies with bigger, more sophisticated security systems, there are ways to detect these backdoor malware which are stealthier than conventional malware anyway. These security tools will cost more than regular tools such as antivirus though, he noted.

Alexandru Catalin Cosoi, chief security research of BitDefender, added a patch would always been found for every known vulnerability so it's a matter of time before a patch for Rakshasa will be developed and released for the masses.

Topics: Malware, Hardware, Security

Ellyne Phneah

About Ellyne Phneah

Elly grew up on the adrenaline of crime fiction and it spurred her interest in cybercrime, privacy and the terror on the dark side of IT. At ZDNet Asia, she has made it her mission to warn readers of upcoming security threats, while also covering other tech issues.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

2 comments
Log in or register to join the discussion
  • Blackboxing spy code

    The more complex a system becomes, the easier it is to hide bad behavior and inefficiencies in it, be it a government agency or a computer OS. However, if you know beforehand what behavior you can expect given the initial conditions and if everything worked properly, then you can in theory look for inconsistencies in that behavior as a clue that things are not quite what they are suppose to be.

    Even if you don't know the initial conditions or what behavior to expect, however, you can still look at the existing behavior of a system from the outside as you would a black box, and then by using the coding equivalent of the old Norton/Thévenin theorems, you can reverse engineer the behavior into a code equivalent that would ID even the most stealthiest of bugs since the bug has to behave like a bug at some point to be of any use. (Like there is no such thing as a "perfect spy" since a spy can only pretend to be someone else and blend in so far without ceasing being a spy with an ulterior motives and actions, and instead actually becoming the person it was only suppose to pretend to be.)

    Reverse engineering complex, black box systems to find "spy code" is a bit of a practical problem with the way Windows-type systems are designed with all their messy and proprietary interconnections. But Linux type systems where things are much more module, including being able to isolate the kernel and BIOS for reverse behavior analysis are a different matter: in this case you do have access to initial conditions and expected behavior, which can then be compared to any inconsistencies in what the reverse behavior analysis shows.
    JustCallMeBC
  • planned obsolescence

    I wouldn't doubt in companies like Microsoft, or even Siemens, creating vulnerabilities in their software/hardware on purpose. Microsoft created the COFEE tool to make it easier for law enforcement to lift information without much effort; Windows 8 machines with locked UEFI will probably have a way to be circumvented for policing efforts ... and it won't take long for hackers to have the same capabilities. Siemens, on the other hand, can ship hardware with vulnerabilities to places like Iran for their nuclear program (to take their money and sabotage their goals) and pretend like it didn't know about the problems when they crop up; all they need to do is ship new hardware with different vulnerabilities to keep the ball rolling.
    Vapur9