Exclusive Interview: Going Three Levels Beyond Kernel Rootkits

Painting A Malware Background

Alan: If you could see me, my eyes would be rolling. Alright, since most of your research is on the bleeding edge of security, let me try to rush through an abridged history of malware for our readers. Interrupt me if you have anything to add. In the beginning, viruses were simple parasites that could only affect executable files...

Joanna: I should protest here about calling all of the file infectors "simple." Some of them were, in fact, extremely complex creatures, like those based on the Mistfall engine by Z0mbie.

Alan: Well, I’m thinking about the age before Dark Avenger/MtE. Stuff like Friday the 13th/Jerusalem. If I were to look at it, boot sector viruses were probably the first generational change in malware followed by MtE as the next generation. That’s probably the first time “signature-based” security should’ve been recognized as having a limited future. The next generational leap has to be something like Macro viruses. Not so much because it reflected cross-platform security, which in itself was novel, but because it reflected social engineering in malware and outside-the-box thinking. Social engineering because computers were mainstream and document sharing was more common than application sharing. More importantly though, it had been dogma that data files couldn’t infect a system and yet here was proof that they could. We still hear security dogma such as, “as long a you don’t open email attachments, you’ll be safe,” or “if you have all the latest security patches, you’ll be safe,” or even “if you use a Mac, you’re safe.”  One of my favorite quotes? “Don't be trapped by dogma—which is living with the results of other people's thinking,” from Steve Jobs.

I don’t know where the other generational milestones are. ZMist’s code integration capability is probably a generational leap in itself, but it definitely isn’t the “beginning.”

Anyhow, going back to my story, when you ran an infected file, the virus stuck around in memory and then inserted a copy of itself into the next program that was run. If you never ran the infected file, your system would never be infected. To get around this, you had the boot sector virus. When you first turn on a PC, the BIOS looks for the boot sector in order to load the operating system. By hiding in this area, the virus loaded before the rest of the operating system did, and therefore could manipulate any sort of data. This was one of the first "stealthy" approaches to malware and was a design of the first PC virus.

Joanna: That is a bit incorrect. Back in the DOS OS there was no notion of any memory protection, so it was not needed for the virus to be loaded before the OS in order to control all of the OS--it could control to OS even if loaded later. 

Alan: Sure, but if you had a terminate-stay-resident anti-virus scanner, loading the virus after the anti-virus would be detectable. The boot sector approach let the virus writer get “earlier” control, right?

Joanna: Correct.

Alan: So continuing on, while Windows ME and other DOS-based operating systems relied on the capabilities of the BIOS to handle disk access, Windows NT did not.

Joanna: DOS should not be confused with Windows 95/98/ME. Those latter systems did use protected mode, and had a notion of kernel memory protection. I'm also quite certain that those Windows 95-based systems didn't use BIOS interrupts, but rather drivers that did PIO/MMIO to the actual devices (just like all the current OSes do).

Alan: I thought that, although a boot sector virus could still cause damage (like format the disk prior to loading Windows), once Windows NT booted, it loaded its own protected mode drivers which bypassed the BIOS. Therefore, even though the BIOS was compromised by the boot sector virus, the protected mode drivers took a higher priority and bypassed the BIOS?

Joanna: Not quite. It has been demonstrated several times (for example, by Eeye's BootRoot) that it is possible for malware that was started from boot sector to survive the switch to protected mode (so, the start of Windows NT/2000/2003) and compromise this newly-started Windows.

Alan: You know, I should probably edit out this part of our conversation and make it look like I know what I’m talking about before this gets posted.

Joanna: I promise to keep mum.

Alan: I’ll actually keep it in. That’s the whole point of doing these interviews. Ninety-nine percent of the content we do is all in-house, but these interviews let us augment our knowledge with expertise we don’t have.

Fast forward to the present day. "Rootkits" are now the accepted term for malware that allow administrator-level functions. A user-level rootkit is something that affects a single program; imagine a compromised Internet Explorer or copy of Flash. Because the rootkit exists in "user space" an anti-virus has the ability to look down and identify the malware.

Joanna: More correctly, user-mode rootkits are the type of malware that operates in Ring 3 (user-mode). It's not limited to a single application and in many cases will infect all the user-mode processes, like the popular Hacker Defender did, including the system-level processes. A system-level process can, and usually is, a user-mode process, even though it is now owned by a user.

  • johnbilicki
    I presume 4GB is limiting on a casual-use laptop because Joanna also runs virtual operating systems on her general purpose laptop?

    How did you two end up talking about Macs instead of something like rootkits or other things more relative to Joanna's line of work?

    As a web developer security is very important though I find it's fairly easy in most regards as attacks, bots, spammers, etc overwhelmingly (though not always) use the same approach methods so there are plenty of patterns that differentiate from normal web traffic. Easy isn't where the fun is though. I'm curious as to the parallels with software in general?
  • truehighroller
    I think she has very nice fat looking lips. xD
  • johnbilicki
    truehighrollerI think she has very nice fat looking lips. xD
    ...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.
  • Interesting interview, and kudos for treating her as a "security expert" and not as a "female security expert".

    In the majority of interviews with young female professionals the interviewer "just have to mention" their hair colour, clothes or makeup. Nice to see a break from that rather tiresome practice
  • Humans think
    I also use Macs myself (also windows systems and linux ones), but I had to say it: Alan Dang you sure are an Apple fanboy :P
    This woman knows what she is talking about, I think I am in love :)
  • thx for spending the time to discuss this complex world in easy to understand terminology. good luck with the R-3 presentations!
  • haplo602
    read the interview because I was curios about the girl on the picture. turned out to not even be interesting.

    f.e. the bluepill thing. ok you can jail the OS into a VM transparently. Now what can you do ? you have to implement a mini OS by yorself into the hypervisor to do anything usefull (i.e. data collection), you need to read the FS, interrupt the network etc. the only usefull thing is to infect the system again after it was cleaned (again you need to know the FS). but since the AV knows you are there, it knows what to do about it.

    ok AV vendors are a step behind (or 2), but once they figure out the attack vector and means, you are done and have to come up with a new attack technology. there are only limited options available on each architecture that change with each revision, so the AV companies win in the end by closing all the gaps they know about.

    these are only backdoors to break the AV protection or work in a dimension higher than the AV protection. however the usefull data is still on the same level as the AV protection (user space).
  • candide08
    Being SUCH an obvious fanboy makes me suspect many other aspects of your judgment. Please TRY to stay objective.
  • coolkev99
    Interesting... and way over my head. Yet I couldn't help but feel like they were trying to out-geek each others commments.

    She is to nerds what nerds are to normal people. Don't get me wrong, much respect and admiration!
  • A interesting and informative article but there is a lot of self praise and back slapping, seems that these folks are not the geniuses they make them selves out to be: