1. Exactly how was it able to start infection? The possible methods provided for in the thread all require root access, that it would seem the only way it can ever infect something is (a) if it was a specifically targeted system or (b) physical access.
The target was a legal firm in 2010
I detect traffic one night from 1 pc, I start capturing data and close the connection at the firewall, the next packet the pc send was a dhcp release renew, machine was inspected and besides the network traffic all look ok, after wiped, new install media, I notice that the malware not only remains but it keep files of the os that was installed earlier.
That give me the clue of HD geometry modification, and that the bug was not nice….
Story short, all network infected, AD schema was modified, and if close the traffic the pcs loose dns resolution. (Fatal for an active directory domain with exchange etc.)
Network os where compromised by dfs bogus system restore to the clients (primary low level drivers), and fake upgrades of the antivirus server.
No credit fraud was reported. The only objective looks to stay resident.
IT was a specific target YES, but infection is no more complex than a rootkit.
2. Size? The way it's described is that it seems small. But a cross-platform, file-infecting malware seems just all too odd to be that small. I understand that it's capable of infecting files possibly by adding a code over the original. Still, this would constitute file size changes and considering that it seems to intend to infect Linux and mac systems, too, well that's triple the size.
Don’t mix layers, one thing is bare metal hypervisor and another is operating system.
A hypervisor will provide a fake hardware bios to the OS, para-virtualization allows direct access to the machine hardware, that make it less intrusive (don’t need to do a physical to virtual migration) and more hard to find, your PC will work like before.
Now if the os have a layer that can manage hardware, compromise the os is no problem.
If it were to download any other component, then it would have to provide those too with root access. So most possibly, there ought to be a rootkit beside the actual malware. Even then, it still means it requires a considerable size to do so. It cannot go undetected like that. Basically, the more "features" it has, the larger it becomes. I simply could not understand how it can get by undetected with a lumbering size or some genius manage to condense all these, but that's highly improbable (or well, impossible, but I'm just trying to be mathematically accurate here) because of the limits imposed by the current languages.
Wait, if the hypervisor is on the pc, the hypervisor is the owner ok. And all data you can get from that pc can’t be trusted (you dump the gpu bios, but you get the fake shadow one that reside on memory)
3. Besides the non-existent processes symptom, are there any other methods of detection? ACPI's, hackintosh, and all that while they may provide context, they don't exactly provide proof. An apple being an apple doesn't mean it's the same apple as every other apple.
My point was that the compatibility that allow to do some tricks, can also be used to do other things……
I never say nothing about the non-existent processes symptom, still identify this is hard and many people including me end up with false positives.
Is like I ask you to prove that you are not inside the matrix….
Also, you mentioned you're from sysinternals. Do you mean you work for sysinternals or that you're originally a member of sysinternals? If it's the latter, do you mean the forums or the actual company? I'm just trying to build a profile here so I can better construct my questions. As I recall, these non-existent processes have existed as early as 2007. I've also contacted them about it in 2009 and they responded that it was the way processes exit. They exist in every system though they may vary for every installation. Conflicting programs with processexplorer are also capable of reproducing this effect.
I am 39 years 3 kids, one wife, IT Consulter from Argentina many Microsoft certifications (starting in 1999) I use to work for a consulting firm and sometimes we work in conjunction whit Microsoft consulting services.
I migrate, design deploy and implement AD,Exchnage,Security,network infrastructure for large enterprises for almost 10 years, now I am self-employ. I also use virtualization technology since vmware was born.
I am a gamer, love hardware and overclocking.
If the symptom mentioned was from the malware, how is it related and why run them in the first place?
The symptoms I experience, was a malware that resist HD wipes, that had phantom/fake hardware, that alone point to a low level rootkit, and after many hours, I find that the bios was compromised.(bios can’t be updated, a full bios reset make the PC do many strange things)
4. I agree. There are other avenues it can explore to achieve the same effect, and the one described in page 15 is not a viable choice at all. It will literally cause problems that would either cause the system to be unbootable or the malware to be completely useless. Even so, none of the viable avenues that I know of are capable of surviving reboot, self-actuating, or even capable of executing commands needed to achieve the desired result. Not to mention that the time it needs to accomplish all these in a single session is impractically long. Could you perhaps provide us what you suppose is the possible avenue(s) it uses to take root in the system? The video I found in securitytube doesn't seem possible automated. It requires manual access.
You don’t need to setup your bios every time you start your PC, OS drivers can configure some part of the bios, the only thing you need is a fixed storage (hd geometry will do it) old or fake drivers, and the compatibility that the industry provide to allow many os to be installed on the same hardware do the rest.
That’s the key, it use normal techniques, Linux can emulate firmware for better compatibility, this use acpi tables to create buffers to load firmware, it use bios shadow for mother/gpu etc.
If you download xen, red the documentation, some acpi docs, and is all there.
Detection is hard, hypervisor are very small, os only see what the hypervisor allow.
5. It seems all too quiet. The way the malware was described was that it was already fully functional, running bypasses, storing data, infecting files and sending information. With such a capable malware, there should be a huge bidding now somewhere for its source code. But it's just too quiet. They want to be discreet about, well, yeah sure, but there's gonna be a spark somewhere here or there and something as brilliant as the one in description is sure to start a wildfire.
The only secret is that they use as a rule in the design that the core use normal emulation techniques at a very low level.
It provides a backdoor, under the os. From there use your imagination.
I don't think malware authors "trying new grounds" to quote new2security would release a fully functional malware just to test if it works. The code would be broken down and some of it spread as separate 0-day malware minimizing activity as much as possible while all other tests are done privately.
One could say that it was meant for targeted attacks, but then again, wouldn't it be smarter to minimize activity and anything that's as impractical as file infection would be discarded? It just doesn't add up.
File infection or misconfiguration, is to provide consisted rollback, malware self-defense. And if they own ring 0, no AV will detect it.
6. If it's capable of file infection, survives re-installation and wipes, am I to suppose you have a sample with you?
One in my pocket but for friend only, machine owned from post, is hard to get reliable data, one person that work on this have dump his gpu rom and inside is a bootloader,ntlr,bcd.
7. Oh and a matter of concern. If it really is a cross-platform, infect-all-files malware, where and how do you do your logs? Shouldn't those get infected, too?
I never said infect all files.
but a hardware backdoor....
I will post some pdf that explain more and in better English.
PD: I can’t resume all in one post. Not to mention that a lot of reading is key to understand how can be done (I read many docs, and have many more waiting)
read the doc please is not long and clear