yettibe

Sophisticated malware manages to bypass Emsisoft permanantly using injection

Recommended Posts

Hello, I am dealing with a sophisticated malware which is capable of injecting its custom tailored Anti-Emsisoft drivers & executables, thus bypassing all security enforcements.

Since I suppose inserting logs here won't be sufficent and a remote session may be required, I need some official reply about what to do.

PS: it is a very powerful and sophisticated malware which employs uncommon procedures, including but not limited to creating Virtual Machines and integrating itself to BIOS with the extra ability to resurrect using chkdsk. It is also capable of filtering internet traffic, altering definition update process etc..

I need your expertise assisting please!

Share this post


Link to post
Share on other sites

I
 forgot to mention about that this next-gen malware is cross-compiling its own unique executables using builtin Microsoft .NET compiler and such, replicating cross-platform executables, meaning IT IS ABLE TO INFECT ITSELF TO MOST LINUX DISTROS TOO WHILE DON'T HAVE A STATIC SIGNATURE FOR EASILY DETECTION!

Its sneaky that I suspect people are already infected but they are not aware of it. It is not disabling Antiviruses, its bypassing them! You receive 'there are no threats! your computer is clean!' message, having a false feeling of security.

Edited by Elise
Removed questionable language

Share this post


Link to post
Share on other sites

one last thing.. this malware is also capable of self-signing itself using digital certificates.. traditional anti virus programs are auto-whitelisting it instead of blocking!

Share this post


Link to post
Share on other sites

Hello yettibe,

First of all, what makes you think you're infected with such a sophisticated piece of malware? What evidence do you have (logs, suspicious activity, droppers, and so on) to support your claim?

 

To be honest, what you describe is not only pretty much impossible, it is also very unpractical from a malware point of view. Sure, in theory it is nice to be able to bypass any AV, but in practice that would require an inordinate amount of work from the part of the developer (and lets not even talk about the fact that most AV products update/improve their components on a regular basis).

 

including but not limited to creating Virtual Machines and integrating itself to BIOS with the extra ability to resurrect using chkdsk.

 

That makes no sense at all. Why would malware even want to make a VM? Integration of the BIOS is possible, but you have a severe limitation and thats the fact that a BIOS is very much hardware-dependent. The best-known BIOS malware is Mebromi and that is easily detected (it just revives after a reboot unless you flash/reset the BIOS). It also is not actively spread and targets one specific BIOS type.

 

As for ressurrection using chkdsk, in theory any piece of malware that happens to be located on a recoverable part of a damaged file system may be ressurrected. From there to active execution there's a long way to go though.

 

this next-gen malware is cross-compiling its own unique executables using builtin Microsoft .NET compiler and such, replicating cross-platform executables, meaning IT IS ABLE TO INFECT ITSELF TO MOST LINUX DISTROS TOO WHILE DON'T HAVE A STATIC SIGNATURE FOR EASILY DETECTION!

 

This makes no sense at all: why bother using a Microsoft resource to compile linux executables when the computer is running Windows in the first place? This is not how cross-platform malware works, for the simple reason that it is completely illogical. 

 

Finally, while you are free to express your concerns, please do so without using questionable language. I have edited your post to reflect this. Next time this may lead to your posts being deleted as this is in violation of our forum rules to which you agreed when you joined as a member.

  • Upvote 1

Share this post


Link to post
Share on other sites

I agree with Elise, the capabilities your describing of this malware seem not only highly unlikely but are in actual fact impossible. Referring to "virtual machines", I assume you are referring to a piece of malware acting as a hypervisor in the style of something like Blue Pill? Again this kind of rootkit technology is hardware dependent as is any kind of BIOS infection (MBR infection is a different matter however, this could be what you're referring to).

 

It is possible for a piece of malware to restore itself using chkdsk by marking the part of the file system it resides on as damaged/recoverable and indeed this technique has been used in DOS viruses before (from memory I can't think of any Windows viruses using this method).

 

Finally Elise has already said pretty much everything about cross-compilation, it would be completely illogical for a malware writer to produce such a carefully designed and sophisticated malware only to include this nonsense feature which would serve no practical purpose.

 

If you genuinely have discovered this malware and analysed it's capabilities in such detail then you should also be skilled enough to obtain some dumps from it and send us some samples of the code for analysis.

 

Regards,

 

Jeff Saile

Independent Malware Analyst

Share this post


Link to post
Share on other sites

Since I read about Bios rootkits and Bluepill proof of concept I'm trying to find informations about these kind of infections and defence measures since I' m worried about it. :(:unsure:

A piece of malware acting as a hypervisor in the style of something like Blue Pill is still a proof of concept or already implemented in a rootkit/malware? If already seen outside laboratories, what's their name and how and by what program can these be detected?

How much hardware dependent is this kind of rootkit technology  as any kind of BIOS infection (only Award bios with a specific version nr, all Award Bios, all Bios by any manufacturer...)?

What do you mean with "hardware dependent"? Can you pls make an example?

The as of now known BIOS infections target "only" Award Bios or also AMI or Phoenix's ones?

How can we protect our systems from BIOS malware?

Last concern, how can we protect our routers from getting hacked (changing password, disabling remote access, updating firmware, ....) and how and what program can we use to detect if our router was hackedinfected? Thank you!

Share this post


Link to post
Share on other sites
A piece of malware acting as a hypervisor in the style of something like Blue Pill is still a proof of concept or already implemented in a rootkit/malware?

 

Its proof of concept only. 

 

What do you mean with "hardware dependent"? Can you pls make an example?

 

The example is in your quote. :)

 

The as of now known BIOS infections target "only" Award Bios or also AMI or Phoenix's ones?

 

Award only, but keep in mind that this infection was discovered a few years ago and as of yet hasn't yet been actively employed "in the wild" (in my opinion it is unlikely this will happen anytime soon).

 

How can we protect our systems from BIOS malware?

 

Like you protect it against any other form of malware, ensure you have behavioral detection on top of more traditional protection means. A BIOS infection still needs a way to be installed and that way is through windows (assuming we're talking about that OS). So at some point a dropper needs to put something on the system that can be flashed to the BIOS preferably without the user knowing. This is something that will trigger a behavioral detection.

 

Last concern, how can we protect our routers from getting hacked (changing password, disabling remote access, updating firmware, ....) and how and what program can we use to detect if our router was hackedinfected? Thank you!

 

You already name it yourself. The vast majority of hacked routers are in that condition because they used a default or easy-to-guess password. For device specific vulnerabilities its important to follow along security news and apply firmware upgrades in case you discover you're using an infected device (luckily this is more rare).

As for detecting, there's no easy way to do this, but the good news is that you can easily reset a router to factory settings or if you want to play it really safe, you can reflash the firmware available at the manufacuter's site.

Share this post


Link to post
Share on other sites

With hardware dependent are meant  all Award Bios versions or just some of them?

Do infections of devices firmware (e.g USB, printers, cards...) already exist or are still theoretical or POC?

Reflashing the router (as the Bios) firmware is not 100 % sure since there are (very very few I hope) malwares that "resist" a reflash, correct?

My problem is that the firmware of my router is an adapted one from my ISP (Verizon) so not sure if there is a reflasing program and the original firmware available to users....

Al these questions because these infections (Bios and hardware firmware) are (very) difficult to be detected/removed and  little is known about them as on how to avoid, detect, remove them. :mad::(:angry:

They are scary and not "in the wild" yet but might become it one day...and anyway I prefer to prevent than to cure.. :)

 

 

So Thank you for all these interesting and useful informations! :)

Share this post


Link to post
Share on other sites

Only some Award BIOS types and other device malware is only POC.

 

Reflashing the router (as the Bios) firmware is not 100 % sure since there are (very very few I hope) malwares that "resist" a reflash, correct?

 

No, that is not correct. You can brick the BIOS or your router by incorrectly flashing, but there's no malware that flashes right now. Hence no malware can survive a flash.

 

My problem is that the firmware of my router is an adapted one from my ISP (Verizon) so not sure if there is a reflasing program and the original firmware available to users....

 

Well, only Verizon can tell, but why do you think your router is hacked?

 

Al these questions because these infections (Bios and hardware firmware) are (very) difficult to be detected/removed and  little is known about them as on how to avoid, detect, remove them.  :mad:  :(  :angry:

They are scary and not "in the wild" yet but might become it one day...and anyway I prefer to prevent than to cure..  :)

 

Its not difficult to scare yourself with everything that "might be" possible at some point and I understand why that is the case (nobody likes to contemplate the possibility that a stranger could slip by your computer's security). However it is also a bit pointless. :) I cannot tell you how to avoid or remove something that doesn't exist yet. To summarize: BIOS malware can be blocked the same way any other piece of malware is blocked, before it would touch the BiOS. As for the router, either you'll have to trust Verizon they gave you a secure device, or you'll have to ask them if you can use a device of your choice.

Share this post


Link to post
Share on other sites

I know some kind of infections are rare, difficult to reach normal users or unlikely to pass the POC phase and be in the wild.....but I never liked the idea that we shouldn t worry about thinks that are unlikely to happen.

This is a passive approach that might-will lead to impreparation and posible huge infections.  I m a little over security oriented, I know, say in paranoid mode but imagine e.g the badusb, whose  code was just uploaded and of public access, that spreads quickly before people and AV companies get ready. Many, many pcs and firmware might get infected in a very short time before anyone get even aware of it.

Worst of all is that apparently as of today there is not an easy and fast solution to this problem-bug...and that for a final solution we are mostly in the hands of usb devices manufacturers ...who knows if and when they ll fix this problem.....till then the only thing we can do is avoid an infection since when infected the disinfection will be impossible or really difficult for a normal user. :angry:

That s why I still believe and prefer  to prevent is bette than to cure... :)

See e.g the anser of Bobby  Nikkhah in  http://security.stackexchange.com/questions/7181/does-the-mebromi-bios-flashing-rootkit-mean-apts-for-personal-computers-are-here

http://malwaretips.com/threads/the-unpatchable-malware-that-infects-usbs-is-now-on-the-loose.34528/

 

When I read about blue pill and opened 100s of pages :wacko:  I thing I read that someone in India created an blue pill application, so that it s not a POC anymore, do I remeber right?

 

In my case I think I might have gotten something nasty and advanced since no AV nor detection tool (tdds, aswmbr, NPE, boot cds ..) detected anything till now and I still have a notebook, my smartphone and a desktop that act wiered, restart suddenly (S4), take forever to boot (laptop), have Blue screen (desktop).

 

I hope AV companies will be soon be able to block usbs device s firmware updates and to scan it (with or without the help of manufacturers).

Share this post


Link to post
Share on other sites

.but I never liked the idea that we shouldn t worry about thinks that are unlikely to happen.

This is a passive approach that might-will lead to impreparation and posible huge infections. 

 

It may sound very straight forward, but when connecting to the internet thats a risk you take. :) Don't get me wrong, I don't say that means security companies don't have the responsibility to look into new threats and new ways to protect their users (which we at Emsisoft, as well as many other companies actively do).

But from there to worrying about what might actually be possible without paying attention to the fact that the payload (for short: the malicious behavior, what the malwrae is coded to do) of such infections will often already be detected by our existing product, is, frankly, a waste of your time. Its like going to a medic and asking for a medicine for an illness that doesn't yet exist, just because you've heard it may possibly come into existence within a few years. ;)

 

In my case I think I might have gotten something nasty and advanced since no AV nor detection tool (tdds, aswmbr, NPE, boot cds ..) detected anything till now and I still have a notebook, my smartphone and a desktop that act wiered, restart suddenly (S4), take forever to boot (laptop), have Blue screen (desktop).

 

There are so many (hardware and software) problems that may cause this, it is taking a really big jump to say: "okay, I have a problem with my computers, I can't find the cause, so my only possible answer is that it must be malware." To be honest, I see this approach quite often, and I can't stress enough that in most cases it is NOT malware, but another problem causing this. Careful analysis of the problem, occurrence, event viewer errors, clean boot, disabling/uninstalling certain software or drivers, hardware tests and so on and so forth are in order.

 

I completely understand you are worried about the problems you encounter with your devices, I also understand that this can be very annoying as we all depend more or less on those to function correctly. But still, taking all that into consideration, it goes way too far to state that because you have more devices with various problems, thus it must be undetectable malware causing this. I'm really sorry, but that is all I can make of it. :)

Share this post


Link to post
Share on other sites

Thank you. I understand. I know it could be caused by hw as sw..but suddenly in all 3, actually 4(a laptop that has problems to see usb devices) devices? I prefer to check the maleware possibility.

On the other side I see the actual scenario, badusb, bios malware, more like the risk of getting Ebola..I prefer to know we are ready before it reaches us..

Share this post


Link to post
Share on other sites

I can understand that, and without having actual malware to test it with, an infection of BadUSB will most likely be blocked by Emsisoft's behavior blocker.

As for your particular problem, USB devices or ports do go bad (wthout having BadUSB ;)). If this problem occurs only with one particular device, then it might simply be broken.

Share this post


Link to post
Share on other sites

Interesting the the original poster came here new, made three posts and has yet to return.  Me thinks this thread is a good candidate for the trash can.

Share this post


Link to post
Share on other sites

I don't see why. :) While the original poster didn't return, there may be other users with the same question. The fact that suppositions are made that aren't necessarily true, doesn't mean that others may not wonder about this. The topic has gone a bit off-topic, but since the original poster didn't return anyway, I see no reason to delete this topic.

Share this post


Link to post
Share on other sites

...and unfortunately I was right.....state trojans that infect bios and firmware are not POC but are real and were created and used years, sometimes a decade ago...apparently they were/are used only on few targets but, who knows and want to risk or like to get infected?

I also think that soon malware writers will decode these state-trojans and create some similar, advanced  malware to infect "standard computers".

I hope again that AV will be pro-active and develop bios-firmware specific protection modules that alert as soon as a SW tries to write the bios/firmware (at least until HW manufacturer won't implement safer firmware and jumper/dip to prevent unauthorized flashing).

 

I built a new desktop and updated the bios. The update program immediately froze the computer and was not blocked by EMSI.  I thought Emsi would alert me that a program wanted to update the bios and ask me if I wanted to allow or block it.......

 

btw I just read

http://forums.theregister.co.uk/forum/1/2015/03/19/cansecwest_talk_bioses_hack/....scaring....

 

thank you

Share this post


Link to post
Share on other sites

Very scary.... and also very much lacking any real evidence or technical information. As such, honestly, I consider such a story worthless.

 

As for advanced malware, be assured that this is used in political/economical espionage. Preferably sophisticated malware is slipped on hardware that is intended for sources-to-be-monitored (and of interested to the one putting it there), which can for example be a government computer. In other words, the target is not your average home (or even office) computer and the ones distributing this sort of malware have a vested interest in making sure their code doesn't end up on such computers (because if it does sooner rather later, it will end up at a security vendor's test computer to be analyzed, which "they" want to avoid at all cost).

 

In other words: should you worry about this? Unless you work for a government and have a computer containing sensitive information that should not be leaked worrying about this really is not productive.

Share this post


Link to post
Share on other sites

as of now I'm not really concerned (but wouldn't like it) about being infected by state-trojans since I'm far from being a  "target " for them...and even if, I don't have things to hide from them....

 

What scares me is that, as we know malware writers, they will try to get these malwares, study them, disassamble them, change them a little to avoid (at least signature) detection and use them for their purposes...it's just a question of time...little time in my opinion.

 

Even I could super easily find a copy of FinFisher/FinSpy, even without looking for it but just for infos about it!

 

 

That's why I hope that AV, EMSI  will be pro-active and develop bios-firmware specific protection modules that alert as soon as a SW tries to write the bios/firmware

Share this post


Link to post
Share on other sites
 
That's why I hope that AV, EMSI  will be pro-active and develop bios-firmware specific protection modules that alert as soon as a SW tries to write the bios/firmware

 

 

The problem, as explained also earlier, is not that we do not detect this, the problem is how it is slipped on those computers. You can think about anything from intercepting the hardware components and fiddling with them to having someone trusted with direct access to the computer plug in an USB drive and run something malicious (and obviously disabling the installed security solution in the process).

Share this post


Link to post
Share on other sites

That's another problem that SW (probaly) cannot solve (or it's very very difficult).

 

 

I just suggested a specific module, like the banking one, just for "Bios and firmware block": if a program tries to access them or to change them the user should be alerted/action blocked unless approved after online scan. :)

Share this post


Link to post
Share on other sites

Very scary.... and also very much lacking any real evidence or technical information. As such, honestly, I consider such a story worthless.

 

As for advanced malware, be assured that this is used in political/economical espionage. Preferably sophisticated malware is slipped on hardware that is intended for sources-to-be-monitored (and of interested to the one putting it there), which can for example be a government computer. In other words, the target is not your average home (or even office) computer and the ones distributing this sort of malware have a vested interest in making sure their code doesn't end up on such computers (because if it does sooner rather later, it will end up at a security vendor's test computer to be analyzed, which "they" want to avoid at all cost).

 

In other words: should you worry about this? Unless you work for a government and have a computer containing sensitive information that should not be leaked worrying about this really is not productive.

 

 

Exactly, people can worry all they want, but unless you have something to hide or your computer contains classified  information its not worth the effort. Hackers/govt/criminals can get into any computer if they want to, just a matter if its worth the effort. So if your a typical home user with nothing of importance on your computer the typical hacker is not going to spend half a day trying to get in for no reward.

Share this post


Link to post
Share on other sites

Exactly, people can worry all they want, but unless you have something to hide or your computer contains classified  information its not worth the effort. Hackers/govt/criminals can get into any computer if they want to, just a matter if its worth the effort. So if your a typical home user with nothing of importance on your computer the typical hacker is not going to spend half a day trying to get in for no reward.

I disagreed on your statement, hackers has multiple ideas what they are going to do with your computer once is been hijacked. One of them is manipulate your computer to do some illegal things, such as hack into banker computer to process illegal transaction using your computer information in order to makes you a culprit. Second is botnet networks and is hard to tell if you are one of them unless you are expert to dig deeper onto it. Last thing is share your information across the cyber criminal network. Therefore, is impossible to retreat it unless you wants FBI and Law Enforcement to involve on this, otherwise is already too late once they pull trigger before you. 

Share this post


Link to post
Share on other sites

 

 

I just suggested a specific module, like the banking one, just for "Bios and firmware block": if a program tries to access them or to change them the user should be alerted/action blocked unless approved after online scan.  :)

We already have this; the Behavior blocker will alert the user with a "direct disk access" alert. This is pretty much worthless though if your hardware was intercepted before it was shipped to you and someone manually reflashed the firmware.

 

I disagreed on your statement, hackers has multiple ideas what they are going to do with your computer once is been hijacked. One of them is manipulate your computer to do some illegal things, such as hack into banker computer to process illegal transaction using your computer information in order to makes you a culprit. Second is botnet networks and is hard to tell if you are one of them unless you are expert to dig deeper onto it. Last thing is share your information across the cyber criminal network.

 

True, they use all that via traditional infection methods (malicious email attachments that download malware, exploit kits and so on). We protect against all that. No hacker will spend a lot of time (and half a day is really too little to set up such an elaborate operation :)) to manually compromise one lousy computer that in itself has no interest to them at all, when traditional methods are so much more cheaper and convenient.

Share this post


Link to post
Share on other sites

 

 

We already have this; the Behavior blocker will alert the user with a "direct disk access" alert. This is pretty much worthless though if your hardware was intercepted before it was shipped to you and someone manually reflashed the firmware.

 

True, they use all that via traditional infection methods (malicious email attachments that download malware, exploit kits and so on). We protect against all that. No hacker will spend a lot of time (and half a day is really too little to set up such an elaborate operation :)) to manually compromise one lousy computer that in itself has no interest to them at all, when traditional methods are so much more cheaper and convenient.

 

 

Having access to the pc is another story.

I m talking about a user that get his pc without malware and want to kkeep it this way.

If government want to spy, I don't have anything to hide.

I wouldn't like it, but I can live with it if it helps to get the bad guys.

What I DON' T want at all is bad guys on my pc/network....

I think they won't take long before they "copy & change a little" the advanced state-malware and use it against "normal" targets.

 

If Emsi's BB warns with a "direkt disk access" warning it's good! ...but in my opinion not enough since many programs want it.

As suggested before a special module would be better, something thta alerts "a program wants to access the bios, the usb, HD, etc firmware", do you want to send it first to EMSI for analysis? Do you really want to install it?

Share this post


Link to post
Share on other sites
I think they won't take long before they "copy & change a little" the advanced state-malware and use it against "normal" targets.

 

If it was that easy it wouldn't be "advanced malware" now would it? :)

 

If Emsi's BB warns with a "direkt disk access" warning it's good! ...but in my opinion not enough since many programs want it.

 

I really don't see what the difference is between this and what you suggest; there are a lot of legitimate applications that can access/flash firmware as well.

Share this post


Link to post
Share on other sites

The difference is that with a direct disk access warnig only many users won't understand exactly what's going on and allow it; with a bios/firware specific alert many will know exactly what s going on and block it, most if the sw they are running has nothing to to with bios or firwware.

Share this post


Link to post
Share on other sites

I just suggested a specific module, like the banking one, just for "Bios and firmware block": if a program tries to access them or to change them the user should be alerted/action blocked unless approved after online scan. :)

We already do that actually. We do allow you to prevent applications from installing drivers on your system. Installing and loading a driver is a requirement to flash your system's firmware. There is no way to block the firmware flashing itself, as there is no common interface to do it. Every vendor has their own undocumented interfaces.

Share this post


Link to post
Share on other sites

Fabian,

thank you.

Is there a way to know if it is accessing the firmware?

Maybe a specific alert before an access and so maybe before a flashing would help.

Share this post


Link to post
Share on other sites

As already explained by Fabian:

There is no way to block the firmware flashing itself, as there is no common interface to do it. Every vendor has their own undocumented interfaces. 

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.