Blog

Guest Blog Post: The Future of Malware?

Posted on June 16, 2008 - 16:09 by lmallek

_StopBadware.org is glad to welcome Jon Kibler,the Chief Technical Officer of Advanced Systems Engineering Technology, Inc., to author a blog post on the future of malware. Jon draws on his years as a security professional to provide insight into malware developments that could have widespread implications for machinery from personal computers to medical devices. (Please note that guest blog posts are independently written, and do not represent official positions of StopBadware.org.)_

*The Future of Malware _*by*_ Jon Kibler*

Traditional viruses and worms have almost disappeared from the malware landscape. Most malware today are "Trojans":http://pandalabs.pandasecurity.com/blogs/images/PandaLabs/2008/04/01/Qua..., "with":http://www.antirootkit.com/ "rootkits":http://www.rlslog.net/20-of-world-computers-infected-with-rootkits/ ("1":http://www.rootkit.com/, "2":http://www.ad-mkt-review.com/public_html/air/ai200605.html) and "botnets":http://www.secureworks.com/research/threats/topbotnets/?threat=topbotnets ("1":http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_botnets.pdf, "2":http://www.shadowserver.org/wiki/pmwiki.php?n=Information.Botnets) becoming more dominant and "difficult to detect":http://www.av-test.org/down/papers/2008-04_vb_rootkits.pdf.

In late 2007, the industry started seeing reports of hardware (e.g., digital picture
"frames":http://blog.wired.com/27bstroke6/2008/01/digital-photo-f.html and "USB memory":http://www.theregister.co.uk/2008/04/07/hp_proliant_usb_key_infection/) that apparently came from the factory as infected devices. Speculation is that most of the items were contaminated during "product testing":http://www.securityfocus.com/print/news/11499 with some possibility of deliberate contamination. These contaminated devices infect the host system when activated and should be detected by AV software as infected.

The next generation of malware may avoid detection by circumnavigating the computer's CPU, or running on non-traditional computers. A typical computer has computational power other than the CPU: video cards have a GPU and their own RAM; sound cards, modems, NICs, and HDDs all have their own processors and memory. All of these could run malware.

The end of May gave us a proof-of-concept "*IOS rootkit*":http://www.networkworld.com/news/2008/051408-hacker-writes-rootkit-for-c..., showing that Cisco devices are subject to compromise. The FBI has bragged about the number of counterfeit Cisco devices "recently seized":http://washingtondc.fbi.gov/dojpressrel/pressrel08/cisco022808.htm. There are also many reports of other counterfeit computer "components and equipment":http://www.stopfakes.gov/pdf/CBP_Press_Release_Operation_Infrastructure.pdf being seized and "counterfeiters being sued":http://www.managingip.com/Article/1255423/Counterfeiter-pays-high-price-.... So, it is clearly possible to find 'unclean' devices in the marketplace -- devices that may include malware.

Another potential attack vector for which there is currently little to no protection is "BIOS (firmware) malware":http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Heasman.pdf. It is a trivial matter to detect a "BIOS's version":http://scan.esupport.com/. Thus, it is surprising that malware infected system-specific BIOS updates (auto-installed by another malware payload) are not already widespread. _Or could it be that they are, and we just don't know about them?_

*Network infrastructure malware* may overshadow PC malware. From the perspective of bad guys, inspecting network traffic has great potential to collect useful information (e.g., credentials from ftp, telnet, pop, imap, and http) and conduct man-in-the-middle attacks against encrypted connections (e.g., collect clear text identity and financial information).

While it is true that the current generation of network malware (such as the IOS rootkit) requires privileged access to compromise a device, administrative mistakes make such access possible. In my experience, at least some Cisco routers still have the privileged default login of 'cisco cisco' enabled, usually because administrators forgot to delete that account. There are potentially tens of thousands of Cisco routers that could be susceptible to an IOS rootkit attack. Fortunately, there are tools available that can detect the type of rootkit recently demonstrated, but they are neither widely known "nor deployed":http://cir.recurity.com/cir/.

More insidious than an IOS rootkit would be a compromise of the *IOS bootloader*, which, for all practical purposes, is never updated. Thus, if the bootloader was compromised, it would be possible for rootkits to persist across IOS upgrades. This would be the ultimate goal of any Cisco malware developer.

Consumer grade network devices are much more susceptible to attack than commercial equipment. How many users even change the device's "default passwords":http://www.phenoelit-us.org/dpl/dpl.html or take other "security measures":http://searchfinancialsecurity.techtarget.com/news/article/0,289142,sid1...? Worse, not only are most of these devices susceptible to malware, an attacker can easily replace the "operating system":http://wiki.openwrt.org/TableOfHardware?action=show&redirect=toh on many of these devices.

This raises a critical question: _If a consumer or a company purchased a router, firewall, video card, HDD, sound card, or other PC CPU-independent device, how would the average consumer or I.T. department be able to detect that the device was infected?_ This is an issue the anti-malware industry is essentially ignoring. The problem is not simple, but fixing it after these types of attacks are already in the wild is *far* too late.

One potential solution would be to "digitally sign":http://www.ecommerce.or.th/APEC-Workshop2002/ppt/slide/john_daly2.pdf all embedded software or firmware. With this digital signature that was checked at boot time, any compromise of the image would be readily detected. Clearly, this would not be a perfect solution (if the device was compromised, the malware could simply patch around the checks), but it should be the next layer in the defenses we "deploy":https://www.trustedcomputinggroup.org/groups/tpm/embedded_bkgdr_final_se.... What I do not understand is why the industry is _not already doing this today._

The preceding concerns me, but what *really* scares me is malware on non-traditional computers -- computers which for architecture, performance, and/or regulatory safety reasons, usually cannot even run anti-malware software.

The 'C' in 'CAT scan' is for 'computer.' What happens when those computers become infected by malware? Software bugs have already "killed people":http://www.technewsworld.com/story/33398.html?welcome=1213515638 ("1":http://blog.wired.com/defense/2007/10/robot-cannon-ki.html, "2":http://www.cs.tau.ac.il/~nachumd/horror.html). What happens when malware accidentally (or intentionally) causes computerized medical or laboratory equipment to malfunction, resulting in death? Industrial controls (e.g., "SCADA":http://www.sandia.gov/scada/home.htm, "PLC":http://www.automationworld.com/feature-831, "DCS":http://www.isa.org/CustomSource/ISA/Div_PDFs/PDF_News/Glss_2.pdf, "etc":http://news.bbc.co.uk/2/low/science/nature/2070706.stm) run much of our "critical infrastructure":http://www.dhs.gov/xprevprot/programs/gc_1189168948944.shtm. There have already been well documented attacks against and failures of "control systems":http://www.adventiumlabs.org/files/InfoSec120804_web_1.ppt ("1":http://ethernet.industrial-networking.com/articles/articledisplay.asp?id..., "2":http://www.zdnet.com.au/news/software/soa/Software-bug-blamed-for-Austra...). A recent DoE experiment demonstrated how a cyber-terrorist could destroy "a generator":http://www.cnn.com/2007/US/09/26/power.at.risk/index.html. The potential for malware damaging critical infrastructure is great. Many experts believe that a "'Digital Pearl Harbor'":http://redtape.msnbc.com/2008/01/from-the-moment.html is not a question of 'if', rather it is a question of 'when.'

The problem is that computers are everywhere. A few other examples of non-traditional computers include: specialized control systems ("avionics":http://blog.wired.com/defense/2008/06/video-stealth-b.html, "automotive":http://aardvark.co.nz/daily/2003/n051301.shtml "and":http://trifinite.org/trifinite_stuff_carwhisperer.html "physical security":http://www2.theiet.org/oncomms/sector/computing/SectionNews/Object/336F7..., "military weapon systems":http://www.gcn.com/print/17_17/33727-1.html), consumer devices ("appliances":http://www.securityfocus.com/archive/1/493387, "DVRs":http://tivo.stevejenkins.com/network_cd.html#_Toc101001738, "PDAs":http://www.leavcom.com/ieee_dec00.htm, "video games":http://blog.trendmicro.com/xbox-live-accounts-hacked/, digital cameras), communications systems ("cell phones":http://www.informationweek.com/shared/printableArticle.jhtml?articleID=2... ("1":http://hardware.silicon.com/pdas/0,39024643,39167928,00.htm, "2":http://www.cse.ucsd.edu/~voelker/pubs/cellworm-worm07.pdf), PBXes, "VoIP telephones":http://www.gcn.com/print/27_10/46209-1.html, telco central office switching), and business equipment ("cash registers":http://www.docdroppers.org/wiki/index.php?title=Hacking_Home_Depot, credit card systems, "point-of-sale systems":http://blog.washingtonpost.com/securityfix/2008/05/three_charged_with_ha..., copiers, "printers":http://www.governmentsecurity.org/articles/HackingMulti-FunctionalPrinte...). The list is nearly endless -- and every one is potentially susceptible to malware.

The malware problem is not going away. In fact, it is going to get worse. Far worse. The question is: _Can we adequately anticipate the future of malware and preempt its attacks against our most critical systems?_