You catch 'em, we kill 'em

How I would write a perfect virus

, posted: 26-Nov-2008 19:36

As someone who deals with virii / viruses / crapware every day I try to keep abreast of new developments.

Recently I ran into the work of  Joanna Rutkowska who had created a 'Blue Pill' ( ) rootkit as a sample of an undetectable rootkit / virus infection. While the papers referenced above are more than my decaffinated brain can handle before lunch the concept is beautiful, elegant in its approach and almost completely undetectable using todays AV systems (almost!!!)

In short an attacking system infects a Vista machine, virtualises the running vista system on the fly (ie turns it into a virtual machine) and then sits underneath the ensnared Vista OS doing its thing.    Since virtualization is supposed to be indetectable to the host, the only way Blue Pill could be detected is if the virtualization itself is detectable. This means a running AV on the vista machine only sees a clean Vista system running as the root kit  exists bleow the hardware level via virtualisation.

While the concept code and idea have been demonstrated, it currently is limited to being able to compromise a system that is not rebooted. The Blue Pill Rootkit Method will not survive a cold reboot as it currently stands as it infects on the fly, virtualises a 'hot running machine' and never places a code foot print on the hard drive / storage area. While this may sound limiting the current Blue Pill methodolgy states that many infected machines don't restart on a regulalr basis for a couple of reasons:
1 - Vista Users tend to send their PCs to sleep or hibernate and only rarely completely shut the PC down to force a cold boot.
2 - Servers rarely shutdown (sigh - pity I cant start an Apple, Linux, windows, AS400 , AIX flame war here) so are ideal attack targets and often hold high value information making them good exploitation targets.
The lack of restart means the ability to survive a reboot is not as required for modern malware.

Lessons learned so far:
1 -Shut your PC down completely on a regular basis - many spyware / crapware instances nowdays have no code foot print on the hard drive as they exploit live machines on the fly and only ever exist in memory space.
2 - Watch your external firewalls well - they may be the only sign of an infection in your system as no one has yet spoofed third party firewall logs on the fly to disguise outbound traffic.

So it got me thinking - hard / cold rebooting systems removes this undetectable Blue Pill rootkit. If I ruled the ware'ld how would I write my virus.

1 - Virutalisation is cool - it takes a very sophisticated check to detect you are trapped in a virtualised system. (comparing timings based on certain low level hooks, calls and process cycles to perform particular actions). Many of those those checks can also be spoofed / defeated.

2 - Surviving a cold reboot is required (after all if rebooting a PC daily ensured the undetectable dies - I would do it for sure.

The obvious way to survive a cold reboot is to catch the system on boot up before the OS starts by having hard coded malware code on non-volatile storage (e.g. hard drive). However having your malware code on the hard drive defeats the in memory only approach which stops a spyware checking process from finding your foot prints on the system HDD.

So where to put the virus code so it is not on the compromised systems hard drive but is still hard coded on the system in order to survive a reboot. (please note - I have considered going across the network (pxe style) to pull the virus back into the system again on the fly but this either requires code on the compromised system to be stored that calls the live / network based exploit (pull stlye infection) or else the attacker to scan the victims networks and re-infect on the fly everytime a reboot is initiated (push style infection) on the previously compromised machine.

Storing initial boot code is straight forward - compromise the bios and hard code an attack that repoints the boot code to ignore the real MBR / Boot Sectors and point to an infection instead. There are a couple of viruses in the wild that do infect the BIOS in order to gain control. However they store their code on the hard drive and so a third party (off line using BART PE, Linux Live, USB cable to connect the HDD to a clean Pc etc) scan of the hard drive can detect the boot code / malware code which is called via the bios infection.

So where do we stand?

1 - The perfect virus / attack uses a Blue Pill style live / realtime virtualisation to take control by keeping the malicious code under the hardware level of a running OS via virtualisation
This renders it undetectable to a virus scanner on the compromised OS
It also means there is no code to be scanned on the hard drive via an offline / third party scan of the hard drive as the malicious code only exists in volatile storage (memory)
Real time memory scans using anti virus sytems also fail as the virtualisation reports a ram size smaller than the real ram size and there is no AV in the world which scans a memory space larger / higher than the physical memory space of the physical (but really virtualised) PC

2 - Get the blue Pill to survive rebooting by getting it to kick off via a compromised BIOS.

3 - Read the Blue Pill code off the hard drive, initiate virtualisation and then continue to boot using the real MBR / boot Sectors on the clean hard drive - but in a virtualised hardware environment.

Whoa!!! back dobbin - whatcha mean read the Blue Pill code off the hard drive. Putting it on the hard drive makes it susceptible to offline AV scans doesn't it and you don't want to put it on the partition where the clean (but jailed) OS resides.

Here is where the sneaky bit comes in.
The Blue Pill kit exists. There is even source code you can download to run and test yourself.
The BIOs virus exists - there is code you can download and modify yourself.
The ability to write on a hard drive without writing on the hard drive exists - if you think about it.

Every hard drive has to be formatted before being used.
The formatting puts the MBR / Boot Sector and formatted partitioning into play at some level.
However, every format (NTFS, DOS, FAT, EXT3, Reiser, HPFS ...) all leave a small unallocated area of  the hard drive at the end of the physical drive. this area is not readable by third party Av checkers as it is an unformatted area. However there is nothing to stop a seriously good piece of code using that area and saving data there without formatting it as a readable volume.

Here is how it would work.
BIOS Starts obn cold boot.
It contains just enough code to ignore the MBR / Boot Sector of the hard drive and move the read head of the drive to a specific sector / area of the hard drive which is marked unused.
The BIOs based start up code is just smart enough to read a sinlge instruction (or two or three) from a specific spot on the hard drive and then read the next sector / area / hdd physical address to jump to and read.
When all the instructions are loaded from the unformatted space the Blue Pill is running in memory, virutalisation takes place and the hard drive is booted from it official partitioned space using the OS volume.

In order to stop the unformatted / unallocated space on the hard drive being recognised as a piece of virus code you only put an instrution or two at each readable area of the HDD (inside the unallocated space)  and a jump location (random) to get the next instruction. This ensures the unallocated space still looks like random junk and data to any scanner clever enough to scan unallocated HDD space.

this type of code already exists and is actually a facinating article of a main frame devleoper who optimised his code by reading a sector / bit off the storage drum (pre hard drives) of the main frame and then manually moving the read head to the next required location to get the next instruction rather than store his code sequentiallyu in a standard file on a file system.

So there it is - The Cranky Old Man Taking a Blue Pill  Virus / Rootkit concept. The code is all available out there on the net, each discrete step of the process has been performed in the past and the only answer to beat this code is protect your bios from write access, flash it if you feel paranoid and wipe your hard drive at a bit by bit,sector by sector, cylander by cylander level if you discover you are pwned by watching crud travel out via your firewall.

A concept - thought and idea. Its probably got a hole or two in it somewhere but hey what do I care - i'm playing with ideas not actually writing this little beast (or am I .. hmmm ... what is reality really?).

Would love to hear from you if you like this idea / hate this idea / or even had the tenacity to read this far. Tell me I'm wrong and why. bow down and hug my feet if you think I'm a guru. visit me in prison when the paranoid androids we call our govt decide I might just be crazy and bright enough to write this little baby.

Next week - Life as a NSA Sponsered Surfer at Guantanimo Bay  - or how to perm your chest hair using 12 volt car batteries and aligator clips in three easy steps.

Other related posts:
Knitting with tinfoil.
Burn all books - out with free thought.

Comment by kinsten, on 27-Nov-2008 18:16

nice read, write a sci-fi book, please =)  About hacking the computers/networks of tomorrows future via time machine built from only moving parts.

Heard of a guy in America who wrote an article on how to hack systems, but never actually hacked anything, was sent to jail for life for being too dangerous.  Was your final comments about this scenario?

nunz's profile

Shane Hollis
New Zealand

Shane started Virusbusters twelve years ago to provide fixed price IT support for home users.

Daily battles through the world of viruses, spammers and other malware has left an indelible impression on him so he decided to try to give back some of the help he has received over time.

Hopefully crazy ideas, virus removal tips and other help can be found in this new blog. who knows, it might even be worth reading one day.