Malware and Firmware Trojans

Contents

  • 1 Malware
    • 1.1 The Importance of a Malware Free System
    • 1.2 The Utility of Antivirus Tools
    • 1.3 Preventing Malware Infections
    • 1.4 Detecting Malware Infections
    • 1.5 Watering Hole Attacks
  • 2 Firmware Trojans
    • 2.1 Virtualizers and Hardware Compromise
    • 2.2 The Promise of Libre Firmware
  • 3 References

Malware[edit ]


The Importance of a Malware Free System[edit ]

Malware has malicious intent and can potentially: [1]

  • View and take snapshots of the desktop.
  • Peruse files and folders.
  • Gain access to protected data when decrypted.
  • Exfiltrate, corrupt or destroy data (particularly financial and personal information).
  • Damage operating system functionality.
  • Encrypt the contents of a drive(s) and demand payment for decryption (ransomware).
  • Display unwanted advertising.
  • Install unwanted software.
  • Install persistent rootkits or backdoors.
  • Track browsing and other behaviour.
  • Remotely turn on webcams and microphones.
  • Create "zombie" computers which form part of a botnet for spam email, DDOS attacks or the hosting of illicit / illegal material.
  • Record everything a user types, sends and receives.

[edit ]

Antivirus products and personal firewalls are not drop in solutions for a secure host. Malware can often stay undetected and evade scans, while application level personal firewalls are often circumvented. [2] Polymorphic code and rootkits essentially render antivirus products helpless. [3] [4]

Antivirus tools are actually worse than useless. In the case of sophisticated and targeted attacks, the antivirus software can serve as a pathway to exploiting a system's kernel, since they almost always run with administration level privileges. [5] Antivirus software also harms privacy by sending system files back to the company servers for analysis.[6] The software also actively conducts man-in-the-middle attacks on secure SSL connections, enabling very sensitive information to be viewed. [7]

Preventing Malware Infections[edit ]

The optimal scenario is to avoid infection by malware in the first place. Once malicious code has accessed a system, it is next to impossible to contain. Sensible steps include: hardening the operating system, carefully vetting programs and files that are retrieved from the Internet, and using hypervisors (virtualizers) to isolate software that processes untrusted data.

Detecting Malware Infections[edit ]

Detecting off-the-shelf (standardized) malware is a very hard problem and conceptually a lost cause. If uncustomized malware is widespread enough, then it has a chance of being detected by a technician. Tailored malware might also get detected by a technician, but the likelihood is low unless they are lucky or gifted.

Non-technical users do not have many good options. They can either:

  • Spend a few years to rapidly increase their knowledge base of operating systems, network protocols, package analysis, programming, disassembly etc., and then try their luck.
  • Pay exorbitant sums to a technician to try and find system malware, even though there is no certainty of success. [8] [9]
  • Or seek the voluntary assistance of a technician to find malware, if they are both a high value target and have a reasonable rationale for why they are likely compromised. [10]

Watering Hole Attacks[edit ]

It should be noted that advanced malware can infect a user's computer via a Watering Hole Attack. This vector has similarities to the software version of a Supply Chain Attack , and these methods are not mutually exclusive: [11]

A watering hole attack is a malware attack in which the attacker observes the websites often visited by a victim or a particular group, and infects those sites with malware. A watering hole attack has the potential to infect the members of the targeted victim group. Although uncommon, a watering hole attack does pose a significant threat to websites, as these attacks are difficult to diagnose.

In the case of (Qubes-)Whonix users, any future attempt would logically target hosted content on GitHub, SourceForge, various forum locations, mirrors, popular documentation links, and frequently visited security and anonymity sites like Tails, The Tor Project and so on. [12] The hope is that developers, contributors and general users of the software become infected with stealthy malware that is immune to detection.

The attack involves a few steps: [11] [13]

  1. Zero-day or other vulnerabilties target the website software.
  2. Malicious JavaScript or HTML are most often used to inject malicious programming code.
  3. The code redirects visitors to a different site that serves "malvertisments" or malware masquerading as legitimate software.
  4. Once installed, the malware can infect various members of the targeted group.

It should be noted that advanced adversaries are capable of gaining knowledge about the behavioral patterns of target groups -- where they congregate, topics of research, related interests, and handle mapping of anonymous networks. This generic browsing and membership knowledge, along with observed security practices, greatly narrows the number of specific sites that need be targeted and the suitable attack mode. One way to mitigate this threat is to rigorously inspect websites for malicious code.

Interested readers can learn about six recent watering hole attacks targeting the US, China, banks and other entities here.

Firmware Trojans[edit ]


Firmware infections should not be confused with hardware/circuit trojans, which are malicious modifications made to machine components during the manufacturing process. Despite their sophistication, circuit trojans are not immune to detection. [14]

Virtualizers and Hardware Compromise[edit ]

Virtualizers like Qubes, VirtualBox and KVM cannot absolutely prevent the compromise of hardware. Running all activities inside VMs is a very reasonable approach. However, this only raises the bar and makes it more difficult and/or expensive to compromise the whole system. It is by no means a perfect solution.

No distribution of Linux, BSD, Xen or any other variant can solve the issue of needing to dispose of potentially infected hardware. Hardware-specific issues can really only be fixed at the hardware level. At best, software interventions can only provide workarounds.

The Promise of Libre Firmware[edit ]

The problem is no hardware exists that consists of entirely Libre firmware. It is very difficult to analyze the firmware of hardware, wipe potentially compromised versions, or overwrite firmware with a most-likely-clean version .

Even if a user wholly depended on Libre firmware, this would only make verification easier but it could not stop infection. Disassembling hardware components -- BIOS, disk controllers, CPU, Intel AMT and so on -- and flashing them with clean versions offline is extremely difficult. It is simply cheaper and more convenient to buy new hardware.

The bundling of undesirable anti-features like DRM in closed firmware is further evidence that Libre firmware is needed, in addition to Libre hardware designs.

A hypothetical stateless computer [15] [16] would solve the problem of malware persistence, but it still could not protect against the damage (data-exfiltration) caused by successful exploitation.

References[edit ]

  1. https://en.wikipedia.org/wiki/Malware
  2. https://www.grc.com/lt/leaktest.htm
  3. https://arstechnica.com/security/2014/05/antivurus-pioneer-symantec-declares-av-dead-and-doomed-to-failure/
  4. A botnet author brags in this thread of writing unbeatable malware and trolling antivirus vendors.
  5. https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/
  6. https://www.schneier.com/blog/archives/2017/10/more_on_kaspers.html
  7. https://bugs.chromium.org/p/project-zero/issues/detail?id=978
  8. ↑ The salary costs for a security researcher / malware analyst over an extended period rule this out for most individuals.
  9. ↑ https://forums.whonix.org/t/document-recovery-procedure-after-compromise/3296/12
  10. ↑ Only a select group of people fall into this group, for instance, whistleblowers targeted and infected by tailored viruses. Experts might be located who are willing to conduct analysis pro bono; later publicizing their findings for the public benefit.
  11. ↑ 11.0 11.1 https://www.techopedia.com/definition/31858/watering-hole-attack
  12. ↑ More commonly attacks favor banks, large organizations and government offices due to the obvious political and profit motives.
  13. https://en.wikipedia.org/wiki/Watering_hole_attack
  14. https://en.wikipedia.org/wiki/Hardware_Trojan#Detecting_Hardware_Trojans
  15. https://blog.invisiblethings.org/2015/12/23/state_harmful.html
  16. https://github.com/rootkovska/state_harmful/blob/master/state_harmful.md

No user support in comments. See Support .

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy .

Random News:

Want to get involved with Whonix? Check out our Contribute page.

https | (forcing ) onion

Share: |

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix , then Edit ! Edits are held for moderation.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy , Cookie Policy , Terms of Service , and E-Sign Consent . Whonix is provided by ENCRYPTED SUPPORT LP. See Imprint .

Similar Articles:

Google Play has dropped 22 malware: Uninstall these apps – Tech Lapse

Google Play has dropped 22 malware: Uninstall these apps – Tech Lapse

How to Prevent Spyware

How to Prevent Spyware

Testing your web browser for cryptojacking

Testing your web browser for cryptojacking

Researchers Find Google Play Store Apps Were Actually Government Malware

Researchers Find Google Play Store Apps Were Actually Government Malware