Sunday, April 29, 2012

Malware Myths

Undetectable rootkits, irremovable malware, firmware bootkits surviving multiple drive wipes, I read about all these subjects on a regular basis and I will dedicate this blog post to these so-called malware myths in the hope that it may help you getting a better idea of what is possible (and most importantly what is not possible) when it comes to malware.

First of all, undetectable malware doesn't exist. Simply put, if we can't find it it means only we don't search well enough. As no piece of malicious software can exist on air only, it will have a stored component somewhere (this can range from code in a patched file to a sophisticated encrypted file system). While this stored component can be very hard to detect (after all a harddisk is a large place to hide stuff), it is not impossible and in worst case a wipe of the drive will always remove it, no matter how sophisticated. If malware returns afterwards it is time to check out removable/backup media or the network/router a computer connects to.

Firmware malware
Firmware is typically a small piece of software coded directly into a device (for example a video card or DVD writer) necessary for the device to function correctly. This code is highly device-dependent, different manufacturers and different models all require specific firmware. For that reason a firmware infection is not only highly unlikely but also very impractical for a malware writer. Someone who wants to create a successful infection not only needs to make sure the malware stays on the system (by making it harder to detect and delete), but also that it is distributed on a large scale. Deploying a firmware rootkit on a large scale is close to impossible as you'd have to write a lot of different versions for different hardware models.

BIOS malware
This form of malware certainly exists and infects the BIOS firmware. The malicious code can be removed by flashing the BIOS or resetting the BIOS. However, I have never seen such an infection in the wild. Furthermore, while the BIOS firmware is a pretty good place to hide, the only BIOS rootkit out there (mebromi) has plenty of signs and can easily be identified on an infected computer. As already explained above the real problem consists of the various firmware versions there are. Mebromi targets Award BIOS only, which makes distribution difficult. Combine that with the fact that it is easy to spot due to other components of the infection (see article) and you have to reach the conclusion that, although it is a very advanced piece of malware and may be tricky to remove (in worst case you need to open up your computer and reset the BIOS manually by removing the CMOS battery), it will not be more difficult to diagnose this infection is on board than an average MBR rootkit.

RAM resident malware
I can be short about this one: malware surviving in RAM during a power-off is technically impossible. Yes, a malicious loaded driver could in theory still be retrieved from RAM using a so-called cold boot attack, but from there to a rootkit that launches from within RAM is a long way to go. Due to the way RAM is designed it is physically impossible to store the launch code for a rootkit there.

Finally, not every weird symptom is automatically caused by malware. If you suspect suspicious network activity or see suspicious files and processes be sure to research them. Look up the IP addresses you see as well as associated port numbers, search for information on files and don't believe everything you read on the internet. You'll find that about every file on your computer is listed somewhere as infected. It is very important to determine how trustworthy a site is that offers information on files.
An infection usually comes with clear symptoms: redirects, pop ups, fake messages, extreme slowness and so on. "Weird behavior" is not enough to conclude that your computer is infected, specially not after one or more reformats/reinstalls.

"I still don't believe you and I want to know how to reformat and reinstall my computer in such a way that all possible malware is gone."

  1. Make sure your computer is not on a network and power it off. Reset your router and reformat all removable storage devices you have (including mp3 players, cameras).
  2. Clear CMOS
  3. Delete all partitions on your hard disk(s) and reformat using DBAN.
  4. Turn your computer off after deleting the partition(s) and reformatting the disk(s) for about 5 minutes.
  5. Turn your computer on and reinstall using a legal Windows CD/DVD. Alternatively use a free linux OS which will not get infected at all.

Friday, February 3, 2012

Why I don't recommend Linux rescue CDs

Most AV vendors offer one free for download these days; a <fill in the AV name here> Rescue CD.  The idea behind it? Scan your computer without booting in Windows, which can come in handy when malware is actively preventing removal (for example by blocking the tools you try to run, or by refusing to be deleted easily). It is also offered as option to clean a system that will no longer boot at all in Windows.

In theory that all sounds nice enough, in practice however there are a few serious problems. A Rescue CD is based on the (open source) Linux operating system kernel. That leads also the first problem; a Linux OS can mount an NTFS partition (which is the file system Windows uses) just fine. However it can't load the Windows Registry as easily. There are some Linux-based tools that can be used to access and modify the registry manually, but the registry cannot be loaded remotely as would be necessary for a scan. This means that the Antivirus or Antispyware scanner included on the rescue CD will scan the file system, but not the registry. Many types of malware use the registry in order to launch. For example a Run value that points to baddie.exe will load baddie.exe as soon as Windows has started and the user logged on. Both the file and the Run value that loads it are bad and needs to go. However, the rescue CD will only detect and delete the file. So, on next reboot Windows will still attempt to load baddie.exe but will no longer be able to find it. This will usually not cause a problem when it concerns a Run value (in worst case the user of the computer will get an annoying error pop-up on each boot), but may have much more grave consequences when it considers other registry locations.

A classic example is the Userinit value. Some (older) infections use(d) to add a file to that value resulting in the so-called logon-logoff loop if the file is removed without adjusting the value correctly. While it is not impossible to recover such a computer, it isn't exactly simple.
Another, more actual, example is the 64 bit version of the ZeroAccess rootkit which hijacks the Windows value in the HKLM\System\CurrentControlSet\Control\Session Manager\SubSystems key so that it will attempt to load the rootkit component consrv.dll instead of the legit winsrv.dll file. If a scanner deletes consrv.dll without adequately adjusting the Windows value data, the computer will no longer boot and instead display a 0xc0000135 BSOD. Luckily most 64 bit Windows versions nowadays have the Recovery Environment pre-installed, which makes recovering from this error a lot simpler, but still, this involves a relatively complex registry edit.

Another issue you need to be aware of when scanning with a Rescue CD is the fact that any file can be deleted, even those that are critical Windows system files. Normally Windows Resource Protection will (attempt to) prevent the deletion of such files. In case a system file has become infected, it will need to be identified and replaced. Deletion will in many cases lead to unbootable or unusable systems.
There are many examples here, just a random one: if the 32 bit ZeroAccess rootkit infects i8042prt.sys (which is the keyboard/mouse ps2 port controller) and this file is deleted using a rescue CD the user of the computer will no longer be able to use their ps2 mouse/keyboard. Both will be completely unresponsive once Windows is loaded.

Does that mean a rescue CD is totally useless? I don't think so, you can still use it to diagnose/detect the malware you are dealing with. To stick with the i8042prt.sys example, if a scanner detects it as infected you can then replace it manually using the rescue CD (browse to a clean copy and use that to replace the infected file). 
My advice: if you want, use it, but use it wise and don't let it delete files but rather investigate what it detected and prepare a manual fix based on that. If you are not sure how to do that, then I recommend to look for help as doing it yourself may very well worsen the state of your computer.