Sign in with
Sign up | Sign in

Painting A Malware Background

Exclusive Interview: Going Three Levels Beyond Kernel Rootkits

Alan: If you could see me, my eyes would be rolling. Alright, since most of your research is on the bleeding edge of security, let me try to rush through an abridged history of malware for our readers. Interrupt me if you have anything to add. In the beginning, viruses were simple parasites that could only affect executable files...

Joanna: I should protest here about calling all of the file infectors "simple." Some of them were, in fact, extremely complex creatures, like those based on the Mistfall engine by Z0mbie.

Alan: Well, I’m thinking about the age before Dark Avenger/MtE. Stuff like Friday the 13th/Jerusalem. If I were to look at it, boot sector viruses were probably the first generational change in malware followed by MtE as the next generation. That’s probably the first time “signature-based” security should’ve been recognized as having a limited future. The next generational leap has to be something like Macro viruses. Not so much because it reflected cross-platform security, which in itself was novel, but because it reflected social engineering in malware and outside-the-box thinking. Social engineering because computers were mainstream and document sharing was more common than application sharing. More importantly though, it had been dogma that data files couldn’t infect a system and yet here was proof that they could. We still hear security dogma such as, “as long a you don’t open email attachments, you’ll be safe,” or “if you have all the latest security patches, you’ll be safe,” or even “if you use a Mac, you’re safe.”  One of my favorite quotes? “Don't be trapped by dogma—which is living with the results of other people's thinking,” from Steve Jobs.

I don’t know where the other generational milestones are. ZMist’s code integration capability is probably a generational leap in itself, but it definitely isn’t the “beginning.”

Anyhow, going back to my story, when you ran an infected file, the virus stuck around in memory and then inserted a copy of itself into the next program that was run. If you never ran the infected file, your system would never be infected. To get around this, you had the boot sector virus. When you first turn on a PC, the BIOS looks for the boot sector in order to load the operating system. By hiding in this area, the virus loaded before the rest of the operating system did, and therefore could manipulate any sort of data. This was one of the first "stealthy" approaches to malware and was a design of the first PC virus.

Joanna: That is a bit incorrect. Back in the DOS OS there was no notion of any memory protection, so it was not needed for the virus to be loaded before the OS in order to control all of the OS--it could control to OS even if loaded later. 

Alan: Sure, but if you had a terminate-stay-resident anti-virus scanner, loading the virus after the anti-virus would be detectable. The boot sector approach let the virus writer get “earlier” control, right?

Joanna: Correct.

Alan: So continuing on, while Windows ME and other DOS-based operating systems relied on the capabilities of the BIOS to handle disk access, Windows NT did not.

Joanna: DOS should not be confused with Windows 95/98/ME. Those latter systems did use protected mode, and had a notion of kernel memory protection. I'm also quite certain that those Windows 95-based systems didn't use BIOS interrupts, but rather drivers that did PIO/MMIO to the actual devices (just like all the current OSes do).

Alan: I thought that, although a boot sector virus could still cause damage (like format the disk prior to loading Windows), once Windows NT booted, it loaded its own protected mode drivers which bypassed the BIOS. Therefore, even though the BIOS was compromised by the boot sector virus, the protected mode drivers took a higher priority and bypassed the BIOS?

Joanna: Not quite. It has been demonstrated several times (for example, by Eeye's BootRoot) that it is possible for malware that was started from boot sector to survive the switch to protected mode (so, the start of Windows NT/2000/2003) and compromise this newly-started Windows.

Alan: You know, I should probably edit out this part of our conversation and make it look like I know what I’m talking about before this gets posted.

Joanna: I promise to keep mum.

Alan: I’ll actually keep it in. That’s the whole point of doing these interviews. Ninety-nine percent of the content we do is all in-house, but these interviews let us augment our knowledge with expertise we don’t have.

Fast forward to the present day. "Rootkits" are now the accepted term for malware that allow administrator-level functions. A user-level rootkit is something that affects a single program; imagine a compromised Internet Explorer or copy of Flash. Because the rootkit exists in "user space" an anti-virus has the ability to look down and identify the malware.

Joanna: More correctly, user-mode rootkits are the type of malware that operates in Ring 3 (user-mode). It's not limited to a single application and in many cases will infect all the user-mode processes, like the popular Hacker Defender did, including the system-level processes. A system-level process can, and usually is, a user-mode process, even though it is now owned by a user.

React To This Article