Friday, November 24, 2006

Introducing Stealth Malware Taxonomy

At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 beginning of this year, at Black Hat Federal Conference, I proposed a simple taxonomy that could be used to classify stealth malware according to how it interacts with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 operating system. Since that time I have often referred to this classification as I think it is very useful in designing system integrity verification tools and to talk about malware in general. Now I decided to explain this classification a bit more as well as extend it of a new type of malware - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 type III malware.

The article is available as a PDF document here.



10 comments:

Anonymous said...

TPM should detect type 3 malware due to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 measured boot process. The TPM registers end up with a hash of all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code that executes during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 boot, so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will have different values if you boot straight into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS vs booting into a virtualized OS. If you have sensitive data locked to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TPM configuration registers, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n you get infected with type 3 malware, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS and apps will not longer be able to access cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 locked data and you can tell you've been virtualized.

Joanna Rutkowska said...

People’s ignorance is just unbelievable (see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 post above)! I already wrote and said so many times that both Blue Pill as well as Vitriol (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two examples of type III malware) are non-persistent and that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y do not require any modifications of a boot sequence in order to infect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system. Should cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y did introduce such changes, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y would be classified as a type I (maybe type II at best) malware.

Anonymous said...

Hi Joanna !

Nice work. Thanks for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paper.Keep cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 good work going on :)

Regards,

Viraptor said...

Hello
Do you know, of any patterns, that can be used in software, to make type II malware impossible / harder to apply?

I'm thinking about using hooks as in:
func_proto hooks[] = { our_func1, our_func2, ... };
hooks[variable]();

Instead of just:
func_proto variable=&our_func1;
variable();

(pseudo-code, don't mind syntax)

This would make all pointers easy to verify, so only place for modifications is read-only data, or read-only code. But can any concept like this be applied to plug-in architecture?
I can only think about exchanging hooks[] with a list of hook arrays (every array owned by plugin itself), where every hook array has a hash generated with private key.
This kind of code, could verify it's data on-demand. Have you thought about that kind of designs / have some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r ideas already? I think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re should be some OS-supported way to get rid of all type II hackable places and change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m to only type I hackable (like introducing syscall add_hook_table_to_verifiable_places_list). Would you agree with that?

I'd risk saying, that it could be even automatized in some VM...

Pozdrawiam :)

Viraptor said...

Adding to my previous comment -> proposed model for hashing of hook arrays is of course impossible in OSS software - or at least it has to be turned off for custom builds.
Only solution in that case would be to open some sort of compiled libraries verification / signing centre. Not possible in this reality.

g-n-d.net said...

Haj Dżoana :)

Szczęśliwego Nowego Roku, trzymaj się ciepło, jestem Twoim fanem :)))

g-n-d.net

Anonymous said...

your claim that

"I started researching ... and shortly after I created type III malware proof of concept."

appears inappropriate in light of Peter Chen's SubVirt paper:

http://www.eecs.umich.edu/~pmchen/papers/king06.pdf

as it seems that he was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one that did cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 research. And that he was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one that provided cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proof of concept.

Joanna Rutkowska said...

To Dan: if you read my presentation about Blue Pill you would notice that I did a detailed comparison of SubVirt vs. Blue Pill and I pointed out why SubVirt is not type III malware – in fact it’s only a type I malware, as it needs to introduce changes o cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 booting processes and this is “something which should not be changed” (vide TPM).

Unknown said...

After seeing you initially in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 5 March 2007 edition of "eweek" and enjoying your blog I must say I am very happy and proud of you and your work. I've been in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information technology business since 1980 and at that time cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ratio of males-to-females were about 60% to 40%. Today cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 female force in IT has dropped to almost nothing. Great work! Keep on pushing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 envelope.

Anonymous said...

Hello Joanna,

we here at TDO (gov. dpt.) have already taken your work into account in 2006 and want to tell you now that you're indeed on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right track. The problem is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 handling of large amounts of data when analyzing a type III malware infected system via an external device. Unfortunately we weren't yet able to handle this as well as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem with false positives. We're looking forward to see you on CCC 2008 maybe with some new insights.

Yours sincerely TDO / Aq. Denton