Catch me if you can

Danny Bradbury looks to the cat and mouse game that researchers and attackers are playing to see who’s coming out on top
Danny Bradbury looks to the cat and mouse game that researchers and attackers are playing to see who’s coming out on top
Graham Cluley, Sophos
Graham Cluley, Sophos


Mikko Hyppönen had played right into the malware writers' hands. But what could he do? The chief research officer at F-Secure was one of many researchers who had worked hard to spot the weaknesses in the MBRoot trojan, which was one of the first pieces of malware to rekindle an old, but effective, stealth attack.


"The authors had released a limited distribution of MBRoot to small audiences, so that the antivirus companies would see it. And so we started to figure out how to detect it," Hyppönen says.


MBRoot was a tough nut to crack. The malware writers, working as far apart as Italy, Russia and the Ukraine, had developed code that would write its files to the MBR - master boot record - (the sector of the hard drive that the computer looks at first when it tries to boot the operating system).


The program also writes its own backdoor trojan to another supposedly unreadable part of the hard drive. It patches the Windows loader so that in addition to loading the kernel, it also loads another driver in an area of the disk that would otherwise not be used by any files. It then intercepts the system's attempts to look at the contents of the MBR and returns the original contents, which are stored elsewhere on the disk.


"It's very hard to detect things like that, because whatever executes first has the upper hand," says Hyppönen. F-Secure and others came up with various techniques. They checked the area of the disk where they knew that  MBRoot stored the copy of the original MBR that it overwrote. They compared the drivers being used in memory for both the hard drive and the CD Rom drive. In Windows XP they're normally the same, but MBRoot patched the hard drive driver with its own modified code.


"We shipped standalone tools to detect the MBR rootkit, and we played into their hands. That is what they expected us to do," he recalls. As soon as the malware writers worked out what the researchers were doing, they re-engineered the code to avoid the fixes. The security vendors knew this would happen, but they still had to analyse the malware and develop countermeasures — that’s what they do.


Sign of the times

Malware developers haven’t always been this smart. This product testing with the security research community constitutes a level of quality assurance that you wouldn't normally see in the malware world, but things have changed in the last few years. Malware writers used to enjoy making their presence known, when joke payloads were all the rage. Teens writing viruses in their bedrooms reveled at the prospect of teasing their targets. Viruses did everything from ejecting CD trays at random moments, through to formatting hard drives out of pure spite. But after 2004, when malware writers started producing code for profit rather than for fun, concealing their code for long periods of time became imperative.


These days stealth technology is the rule, rather than the exception



That generation of virus writers became adept at writing viruses that would evade detection. But when Windows was introduced, it took a while for them to get their minds around the new system. "Windows viruses appeared in 1995, and it took them two or three years to evolve to the point where stealth technology was introduced," says Graham Cluley, senior technology consultant at Sophos.


These days, with most modern malware trying to hide itself and generate profit for its perpetrators for as long as possible, stealth technology is the rule, rather than the exception. The most effective form of stealth attack is the rootkit, which conceals its presence by cloaking key files and processes so that the operating system can't see them.


"Once the rootkit is in there, it's sometimes months before anti-virus software catches up to it," says Don Jackson, director of threat intelligence at managed security service provider SecureWorks.


There are several kinds of rootkit, ranging from the firmware rootkit, up to the library or user-level one. "They started as user mode because they're easier to implement. User-mode rootkits rely on intercepting and patching Windows libraries," says Cluley.


Anti-virus software will find it relatively easy to detect user-mode rootkits because they run at a lower level of the operating system stack, in the kernel space. This is why the kernel became such a bone of contention when Microsoft released its Patchguard technology, which restricted programs from patching the kernel - it potentially stopped rootkits from accessing the kernel, but also threatened anti-virus products, too.


The MBR attack is an old trick, originating with viruses such as Stoned, in the eighties. It may be an old one, but it still works - Hyppönen said that F-Secure can detect MBRoot, but can't cleanse a disk infected by the program. Other old techniques that are being rekindled by malware writers include polymorphism, which changes the binary footprint of viruses to try and thwart signature detection algorithms, and parasitic malware, which attaches itself to other programs in a bid to hide itself.


Cat and mouse

In the cat and mouse game between attackers and researchers, malware doesn’t rely purely on old techniques to hide its presence. Anyone who loads their data first has the upper hand, meaning that stealth attacks are a race to the bottom of the operating system's stack, as code tries to load itself as early as possible in the operating system’s bot process.


This quest for prior execution has made virtualisation a hot button for malware writers and their opponents. In a virtualised system, a small software layer called a hypervisor sits underneath the operating system, running directly on the CPU. Legitimate users would run several operating systems simultaneously on top of a single hypervisor, switching between them at will. In a virtualised rootkit attack, a malicious hypervisor would insert itself under the operating system and reload it as a virtual machine. The operating system would then be under the control of the malware, which would be able to intercept and manipulate anything that the guest system tried to do.


Joanna Rutkowska's Blue Pill proof of concept source code, (originally released in 2006 and updated in 2007) was supposed to be able to do this without being detected. Various experts (including engineers at AMD, which provides processor-level virtualisation support) have disputed this.


Cloak and dagger

But while experts debate how low in the stack rootkits can go, there are even more methods that attackers can use to hide themselves. An increasing number of malware writers now hide their files in streams - essentially files within files, that can be used to hold information useful to the operating system. A .exe file's stream might contain information detailing whether it was downloaded from the internet, for example. These hidden files are perfect places for malware to hide. "When these arrived, most scanning engines had no idea they existed," Hyppönen says.


Other malware tries to reduce its visibility by randomising its attacks to make them less consistent. Cluley recalls a rootkit on the Apache web server that would include some obfuscated JavaScript on every tenth page served. The script would try to install malware in the background. Because the script didn't show up all the time, and because it was randomised to be different every time, it was very hard to detect, he says.


Other malware will try to minimise its footprint on the system, or won’t write any files to the machine’s hard drive at all. ‘Scoutware’ is becoming increasingly popular among malware vendors. A small downloader will be installed on a computer, and will assess the system’s protection mechanisms before downloading the main payload.


“The best way not to be discovered is simply not to persist on the machine,” says SecureWorks’ Jackson. He has discovered rootkits in Apache systems that existed entirely in memory. “You could reboot the server, and the attacker would scan the machine and do the same exploit again.”


What if stealth attacks fail, and malware gets detected? Is the game over for the malware authors? Not at all, says Jackson - their software can still do significant damage as it attempts to cover its tracks. Some malware will check for a ‘heartbeat’, pinging a command and control server at regular intervals. If this isn’t found — a signal, perhaps, that an administrator has reconfigured a firewall — the programme might then use http traffic to check a certain web page for a key phrase. If the key phrase is not found, it interprets it as a signal to ‘go nuclear’. “If it misses the heartbeat, it'll format your hard drive,” Jackson says. Variations on the theme include making the malware execute a ransomware payload, encrypting crucial files on the hard drive and demanding payment via a Western Union bank transfer in return for the decryption key. Using such methods, code finding itself unable to execute its payload can at least render its algorithms unanalysable, or extort a final couple of hundred dollars from the victim.


So, as rootkits install themselves via the MBR and become increasingly difficult to find, are we nearing the final frontier? At some point, surely, a malware writer will install their software at a low enough level that it will become entirely undetectable? We’re not there yet, says Hyppönen. Attackers could install rootkits in the bios, for example. “They're flashable, after all,” he says. “It would need serious research effort from the bad boys, but the bad news is that they can afford to invest in their attacks.”


Malware writers have already progressed from rudimentary coding techniques to a level of expertise that rivals that of some commercial software houses. To gauge how much resource the authors of MBRoot had put into the system, Hyppönen asked his company’s programming team how much time they’d need to write something similar.


“They did some math, and they said, ‘four months for ten guys’,” he recalls. Stealth attacks may be covert, but there’s one thing the perpetrators can’t hide, and that’s the expertise and the funding that they must have at their disposal.


What’s hot on Infosecurity Magazine?