Difficult for PC viruses to stay invisible indefinitely

Security watchers say that while malware such as Rakshasa are stealthier and can stay well hidden embedded in hardware chips, it is often difficult to implement and will eventually be detected.
Written by Ellyne Phneah, Contributor

It is unlikely that computer viruses can stay completely undetectable indefinitely as such attacks are already known to the security industry and efforts are ongoing to detect and eradicate even deeply embedded hardware-based backdoor malware. In time, the virus will also be eradicated thus debunking the notion of an invulnerable virus, say observers.

The idea for such a virus came in August when Jonathan Brossard, CEO and security research engineer at Toucan System, demonstrated the "Rakshasa" virus which is a deeply embedded backdoor installed on the BIOS chip on a PC's motherboard or other hardware components such as network cards.

According to him, since the virus resides within motherboard chips, it remains undetectable from antivirus software and resilient to the common processes by IT staff looking to clean up a badly-infected PC.

To demonstrate this, Brossard said he tested Rakshasa using 43 different antivirus programs and none of them flagged the malware as dangerous. "Even if you change your hard drive or change your operating system (OS), you're still very much going to be [affected by the virus]," he said in a report by MIT's Technology Review.

When contacted to elaborate more on how the virus works, Brossard pointed ZDNet Asia to his research paper instead.

Not so stealthy, scalable
Very specific conditions will have to be met for the Rakshasa malware to be able to be installed into a person's PC and remain hidden indefinitely though, noted David Harley, senior research fellow at ESET. He said the cybercriminal will need access to the PC's supply chain at some point in order to install the malware and gain control of the device. Alternatively, it could be installed by a previous malware already existing in the PC, Harley explained.

"Essentially, this is a proof of concept and not a universal property of malware," Harley said. "Even if viruses such as Rakshasa work in principle, it will not go that far."

Hardware preloaded with backdoors are not new to the security industry too, and industry professionals have been working on countering such firmware-based threats for many years, the ESET executive added.

To minimize the risk of hardware-related vulnerabilities, Harley advised companies to not buy hardware from sources they do not trust.

Ondrej Vlcek, CTO at Avast, also pointed out the effort to install Rakshasa is oftentimes difficult to scale and ultimately not worth the effort for many cybercriminals. Compared to traditional software-based attacks, implementing Rakshasa is relatively difficult and not scalable, he said.

"It is true that certain exploits may not be detectable using conventional tools. But the effort to implement such exploits is high, and in pretty much all cases, absolutely not worth it," Vlcek said.

He added for larger companies with bigger, more sophisticated security systems, there are ways to detect these backdoor malware which are stealthier than conventional malware anyway. These security tools will cost more than regular tools such as antivirus though, he noted.

Alexandru Catalin Cosoi, chief security research of BitDefender, added a patch would always been found for every known vulnerability so it's a matter of time before a patch for Rakshasa will be developed and released for the masses.

Editorial standards