Sign in with
Sign up | Sign in

Painting A Malware Background

Exclusive Interview: Going Three Levels Beyond Kernel Rootkits
By

Alan: If you could see me, my eyes would be rolling. Alright, since most of your research is on the bleeding edge of security, let me try to rush through an abridged history of malware for our readers. Interrupt me if you have anything to add. In the beginning, viruses were simple parasites that could only affect executable files...

Joanna: I should protest here about calling all of the file infectors "simple." Some of them were, in fact, extremely complex creatures, like those based on the Mistfall engine by Z0mbie.

Alan: Well, I’m thinking about the age before Dark Avenger/MtE. Stuff like Friday the 13th/Jerusalem. If I were to look at it, boot sector viruses were probably the first generational change in malware followed by MtE as the next generation. That’s probably the first time “signature-based” security should’ve been recognized as having a limited future. The next generational leap has to be something like Macro viruses. Not so much because it reflected cross-platform security, which in itself was novel, but because it reflected social engineering in malware and outside-the-box thinking. Social engineering because computers were mainstream and document sharing was more common than application sharing. More importantly though, it had been dogma that data files couldn’t infect a system and yet here was proof that they could. We still hear security dogma such as, “as long a you don’t open email attachments, you’ll be safe,” or “if you have all the latest security patches, you’ll be safe,” or even “if you use a Mac, you’re safe.”  One of my favorite quotes? “Don't be trapped by dogma—which is living with the results of other people's thinking,” from Steve Jobs.

I don’t know where the other generational milestones are. ZMist’s code integration capability is probably a generational leap in itself, but it definitely isn’t the “beginning.”

Anyhow, going back to my story, when you ran an infected file, the virus stuck around in memory and then inserted a copy of itself into the next program that was run. If you never ran the infected file, your system would never be infected. To get around this, you had the boot sector virus. When you first turn on a PC, the BIOS looks for the boot sector in order to load the operating system. By hiding in this area, the virus loaded before the rest of the operating system did, and therefore could manipulate any sort of data. This was one of the first "stealthy" approaches to malware and was a design of the first PC virus.

Joanna: That is a bit incorrect. Back in the DOS OS there was no notion of any memory protection, so it was not needed for the virus to be loaded before the OS in order to control all of the OS--it could control to OS even if loaded later. 

Alan: Sure, but if you had a terminate-stay-resident anti-virus scanner, loading the virus after the anti-virus would be detectable. The boot sector approach let the virus writer get “earlier” control, right?

Joanna: Correct.

Alan: So continuing on, while Windows ME and other DOS-based operating systems relied on the capabilities of the BIOS to handle disk access, Windows NT did not.

Joanna: DOS should not be confused with Windows 95/98/ME. Those latter systems did use protected mode, and had a notion of kernel memory protection. I'm also quite certain that those Windows 95-based systems didn't use BIOS interrupts, but rather drivers that did PIO/MMIO to the actual devices (just like all the current OSes do).

Alan: I thought that, although a boot sector virus could still cause damage (like format the disk prior to loading Windows), once Windows NT booted, it loaded its own protected mode drivers which bypassed the BIOS. Therefore, even though the BIOS was compromised by the boot sector virus, the protected mode drivers took a higher priority and bypassed the BIOS?

Joanna: Not quite. It has been demonstrated several times (for example, by Eeye's BootRoot) that it is possible for malware that was started from boot sector to survive the switch to protected mode (so, the start of Windows NT/2000/2003) and compromise this newly-started Windows.

Alan: You know, I should probably edit out this part of our conversation and make it look like I know what I’m talking about before this gets posted.

Joanna: I promise to keep mum.

Alan: I’ll actually keep it in. That’s the whole point of doing these interviews. Ninety-nine percent of the content we do is all in-house, but these interviews let us augment our knowledge with expertise we don’t have.

Fast forward to the present day. "Rootkits" are now the accepted term for malware that allow administrator-level functions. A user-level rootkit is something that affects a single program; imagine a compromised Internet Explorer or copy of Flash. Because the rootkit exists in "user space" an anti-virus has the ability to look down and identify the malware.

Joanna: More correctly, user-mode rootkits are the type of malware that operates in Ring 3 (user-mode). It's not limited to a single application and in many cases will infect all the user-mode processes, like the popular Hacker Defender did, including the system-level processes. A system-level process can, and usually is, a user-mode process, even though it is now owned by a user.

Display all 65 comments.
This thread is closed for comments
Top Comments
  • 11 Hide
    johnbilicki , July 16, 2009 6:46 AM
    truehighrollerI think she has very nice fat looking lips. xD


    ...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.
  • 11 Hide
    Anonymous , July 16, 2009 8:18 AM
    Interesting interview, and kudos for treating her as a "security expert" and not as a "female security expert".

    In the majority of interviews with young female professionals the interviewer "just have to mention" their hair colour, clothes or makeup. Nice to see a break from that rather tiresome practice
Other Comments
  • 6 Hide
    johnbilicki , July 16, 2009 6:25 AM
    I presume 4GB is limiting on a casual-use laptop because Joanna also runs virtual operating systems on her general purpose laptop?

    How did you two end up talking about Macs instead of something like rootkits or other things more relative to Joanna's line of work?

    As a web developer security is very important though I find it's fairly easy in most regards as attacks, bots, spammers, etc overwhelmingly (though not always) use the same approach methods so there are plenty of patterns that differentiate from normal web traffic. Easy isn't where the fun is though. I'm curious as to the parallels with software in general?
  • 11 Hide
    johnbilicki , July 16, 2009 6:46 AM
    truehighrollerI think she has very nice fat looking lips. xD


    ...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.
  • 11 Hide
    Anonymous , July 16, 2009 8:18 AM
    Interesting interview, and kudos for treating her as a "security expert" and not as a "female security expert".

    In the majority of interviews with young female professionals the interviewer "just have to mention" their hair colour, clothes or makeup. Nice to see a break from that rather tiresome practice
  • 7 Hide
    Humans think , July 16, 2009 8:19 AM
    I also use Macs myself (also windows systems and linux ones), but I had to say it: Alan Dang you sure are an Apple fanboy :p 
    This woman knows what she is talking about, I think I am in love :) 
  • 3 Hide
    Anonymous , July 16, 2009 8:19 AM
    thx for spending the time to discuss this complex world in easy to understand terminology. good luck with the R-3 presentations!
    -austinmc
  • -1 Hide
    haplo602 , July 16, 2009 10:48 AM
    read the interview because I was curios about the girl on the picture. turned out to not even be interesting.

    f.e. the bluepill thing. ok you can jail the OS into a VM transparently. Now what can you do ? you have to implement a mini OS by yorself into the hypervisor to do anything usefull (i.e. data collection), you need to read the FS, interrupt the network etc. the only usefull thing is to infect the system again after it was cleaned (again you need to know the FS). but since the AV knows you are there, it knows what to do about it.

    ok AV vendors are a step behind (or 2), but once they figure out the attack vector and means, you are done and have to come up with a new attack technology. there are only limited options available on each architecture that change with each revision, so the AV companies win in the end by closing all the gaps they know about.

    these are only backdoors to break the AV protection or work in a dimension higher than the AV protection. however the usefull data is still on the same level as the AV protection (user space).
  • 6 Hide
    candide08 , July 16, 2009 12:48 PM
    Being SUCH an obvious fanboy makes me suspect many other aspects of your judgment. Please TRY to stay objective.
  • 5 Hide
    coolkev99 , July 16, 2009 12:58 PM
    Interesting... and way over my head. Yet I couldn't help but feel like they were trying to out-geek each others commments.

    She is to nerds what nerds are to normal people. Don't get me wrong, much respect and admiration!
  • -1 Hide
    Anonymous , July 16, 2009 2:05 PM
    A interesting and informative article but there is a lot of self praise and back slapping, seems that these folks are not the geniuses they make them selves out to be:
    http://en.wikipedia.org/wiki/Blue_Pill_(malware)
  • 0 Hide
    bounty , July 16, 2009 3:08 PM
    Wayne963, I'm not sure I get your point. They also made red pill and discussed at length in the interview about being able to detect a hypervisor, but that fingerprinting it would be a bitch.

    haplo602, that's like arguing that taking control of the memory doesn't get you anywhere, you still have to read the FS, implement sniffing routines etc. While the AV may know it's there, it doesn't have final say. VM says remove kav.exe, kav.exe says 'nooooooooooooooo' as it's being deleted. kav.exe stops bothering VM.
  • -7 Hide
    redeye , July 16, 2009 3:20 PM
    I find her hot!, but I have no chance (of course); that body was/now only satisfied by a girl!...
  • 0 Hide
    haplo602 , July 16, 2009 3:24 PM
    bountyhaplo602, that's like arguing that taking control of the memory doesn't get you anywhere, you still have to read the FS, implement sniffing routines etc. While the AV may know it's there, it doesn't have final say. VM says remove kav.exe, kav.exe says 'nooooooooooooooo' as it's being deleted. kav.exe stops bothering VM.


    well the issue is as I described. you cannot delete anything from outside the OS unless you ask the OS to do so. and once you do, the AV will catch it.

    taking control of the memory only enables you to see what others see. it's like network man-in-the-middle attacks. they too are not detectable (or very hard to do), yet you still have to decode the data you are capturing to use it and you have to interrupt the data stream with very accurate data to alter it. this only leads to content encryption being your last stop.

    look at DRM in Vista and expand it to all the data. what you get is a virtualised OS that is a blackbox for the rootkit. so you have control of the memory, but it's no use to you. simple and effective. of course there are performance hits etc., but this we already get with each new windows version :-))
  • -3 Hide
    thejerk , July 16, 2009 3:34 PM
    I lost interest in the entire article as soon as she began speaking of how pretty her Mac is... seriously. I don't care how talented she is, now. I'm annoyed.

    I just bought my girlfriend a Kate Spade baby bag. I bet Joanna thinks it's beautiful, too.
  • -3 Hide
    DarkMantle , July 16, 2009 3:55 PM
    thejerk +1 hahahaha, it was the same for me. I lost interest after that too.
  • 2 Hide
    Shadow703793 , July 16, 2009 4:09 PM
    This is so ironic. Talking of security, I spent the last 2 hours getting Bastille to work on SUSE. (lol, it should have been only 10 minutes, but my perl install went to dependency hell).

    For those that tun Linux, it's a very good idea to get Bastill up and rnning. Also read: Hacking Linux Exposed 2nd ed

    Bastille: http://bastille-linux.sourceforge.net/
  • 4 Hide
    Shadow703793 , July 16, 2009 4:14 PM
    *damn the submit button and the lack of editing*

    Anyways, good to know a few people actually know what the hell they are talinkg about. These people should help the gov't because unlike most at the gov't these people have knowledge. (Cybersecurity any one? :lol:  Any one who uses that term should be wiped with CAT5e cable :p ).

    @Author: WTH is up with the Mac stuff?
  • 2 Hide
    222222 , July 16, 2009 4:54 PM
    In 2006 she claimed she created the 100% undetectable rootkit, Blue Pill. When invited to challenge, she rejected unless she is paid 400,000$ to do its rootkit better claiming this is "funny challenge".

    So she lied in order to get some publicity.

    - stupid claims
    - arrogant behavior
  • 0 Hide
    maximiza , July 16, 2009 6:26 PM
    222222 did she dump you or something? probably 400 g's is chump change to her. Look at D.C. I think in general if you have enough resources any I/O system can be compromised. Since people are imperfect there designs will always be imperfect. I had a Ti99/4a too, the speech programing was a blast.
  • 0 Hide
    Marcus52 , July 16, 2009 6:30 PM
    thejerkI lost interest in the entire article as soon as she began speaking of how pretty her Mac is... seriously. I don't care how talented she is, now. I'm annoyed.I just bought my girlfriend a Kate Spade baby bag. I bet Joanna thinks it's beautiful, too.


    If that's all you got from her talk, then you are too clueless to get what she was talking about to begin with. It's good you didn't read the article because it clearly would have been a waste of your time.

    The important parts you missed were 1) OS X is no more secure than Windows, and both are more secure than Linux distros, and 2) She'd go with Windows and PC hardware over OS X and Apple's hardware choices unless aesthetics are more important to you than what Windows provides.

    If you are out to burst Apple's bubble, as I am, this article is an indictment of Apple's claims, not a fan-girl advertisement.
Display more comments