Looking for malware in all the wrong places?

By Markus Jakobsson, ITworld |  Security, malware 60 comments

March 15, 2010, 9:33 AM Anti-virus products scan for malware in two ways. They look for sequences of bits that are found in programs that are known to be bad (but which are not commonly found in good programs). And they run programs in sandboxes and look for known malicious actions. The first approach only catches known malware instances, while the second can also catch variants of these. Still, many malware agents slip through the cracks undetected... until the rules of the anti-virus programs are updated, that is. It is a constant battle between the attackers and the defenders.

Instead of looking for known patterns -- whether of instructions and data, or of actions -- wouldn't it be great if we could look for anything that is malicious? That may sound like a pipe dream.

Not to me.

Let me tell you why. But first, let's agree about some things.

1) There are absolutely only three things malware can do when you scan for it. One: be active in RAM, maybe trying to interfere with the detection algorithm. Two: not be active in RAM, but store itself in secondary storage. It cannot interfere with the detection algorithm then, quite obviously. And option number three: erase itself.

2) Any program -- good or bad -- that wants to be active in RAM has no choice but to take up some space in RAM. At least one byte, right?

Assume now that we have a detection algorithm that runs in kernel mode, and that swaps out everything in RAM. Everything except itself. Well, malware may interfere, of course, as it often does, and remain in RAM. But if we know how big RAM is, we know how much space should be free. Assume we write pseudo-random bits over all this supposedly free space. Again, a malware agent could refuse to be overwritten. It could store those random bits somewhere else instead... like in secondary storage.

Then, let us compute a keyed hash of the entire memory contents -- both our detection program and all the random bits. Here is what could happen: If there is no malware in RAM, the results will be the expected result. An external verifier checks this, and tells us that the scanned device is clean. Or there could be malware in RAM, and the checksum will be wrong. The external verifier would notice and conclude that the device must be infected. Or malware could divert the read requests directed at the place it is stored to the place in secondary storage where it stored the random bits meant for the space it occupies. That would result in the right checksum... but a delay. This delay would be detected by the external verifier, which would conclude that the device is infected.

Why a delay, you ask? Because secondary storage is slower than RAM. Especially if the order of the reads and writes are done in a manner that intentionally causes huge delays if diverted to flash, hard drives, etc.

All we need is the help of an external verifier that knows how much RAM a device we want to protect has, and how fast its processor is. And ways to avoid latency variance when we measure the time to compute the checksum.

This tells us a few interesting things. We can guarantee detection of malware. And that includes zero-day attacks and rootkits. We can even guarantee that we will detect malware that infected a device before we installed our detection program. Think about it. Or read more here and here.

60 comments

Anonymous 1 year ago
This is very interesting as in theory it makes sense. I looked into this some more...He makes some interesting comparisons to DNA and Disease in a follow-up article:http://www.securityweek.com/content/how-identify-malware-blink
Flag comment  |  Permalink Reply
Anonymous 1 year ago
A1 and Mr. Wizard have it right.Facts:Microsoft code is a secret so how can you "know" what's going on in all the various ways between malware and the OS? We only know about the malware that we detect (and not very much about a lot of it). We don't detect a lot of malware because code obfiscation, specialized limited-use malware and variants are rampant so you don't know for sure when you are infected or not.The sane thing to do is to assume any internet-connected computer that is not under severe usage restrictions will be infected. If you want to hold sensitive data on a computer or use it for important and sensitive login transactions then severely limit it's internet access and virtualize whatever you can, purging the session after each use. Then you won't have to have extensive discussions about how to "detect" infections, etc.
Flag comment  |  Permalink Reply
Anonymous 1 year ago
What we have found more frequently, is that there are more options than you define. We have "cleaned" infected machines with Cold Scans (from another computer), Live Scans with every decent scanning tool known to man (and we're pretty damned good at this after 15 years) - only to have the computer reinfect itself a day later.We have concluded there are either inert files left on the computer that do not show as infected until a certain time occurs or until they are triggered by an outside event.Either that, or there are registry keys that also detect as inert that trigger a payload installation.The malware landscape is considerably more complicated than you make out.We need a hardware-based solution that simply does not allow malware-like activity to function. Period. When we achieve this, we'll be back in the drivers seat. Until then we are not in control by any stretch of anyone's imagination.
Flag comment  |  Permalink Reply
Anonymous 1 year ago
I see lots of suspicious comments there, I can understand such reactions, as I myself did some practical attacks on some related schemes known as software-based attestation systems (shameless self advertisement: paper available on my homepage).However, there are a few facts to note:Those schemes work best for embedded systems. Take your android cell phone, the carrier knows :- the device you use and the amount of memory available- exactly which version of the firmware on the device- the additional applications will be known as well, e.g. fetched from the Android Market. Or the phone could just report the list of applications before running the protocol.So basically the assumptions you may do on a PC architecture might not be valid there. Especially for the size of the memory. While anyone can replace the RAM with a bigger one on your PC or laptop, it's (almost) impossible to do so on your cell phone.This is even more true for micro-controllers, that run a single blob of code (firmware).Personal data is now mostly stored on the could (think gmail etc...), or would be in non-executable areas this lets no real solutions or places for the malware to hideGiven that the external verifier knows the expected contents of memories he could then easily compare the hash returned against the expected hash. I'm not personally saying that this is the "silver bullet" security tool, and some challenges might remain to be solved. However, even if first revisions of the scheme shows limitations or vulnerabilities this significantly raises the bar for an attacker. This is usually good to take. Moreover, as many new security schemes it needs to be carefully analyzed, I'm looking forward to see a full specification and working implementation before giving a strong judgment on it...Aurélien
Flag comment  |  Permalink Reply
Anonymous 1 year ago in reply to Anonymous
Thanks for the comment, Aurelien. You are right when you say that our solution is well suited to address mobile malware, but that it is a bit more arduous to do it for "regular" computing platforms -- laptops and desktops. Your reason is right on target: it is easy to know the hardware configuration for a handset. As for analysis, of course you are right. Every security solution worth considering needs peer review, and careful and critical analysis. (This is also one of the reasons why I am asking people to *please* read the full papers before jumping to conclusions: blogs are not well suited for graphs, figures theorems and proofs.) A first paper is publicly available at http://dimacs.rutgers.edu/TechnicalReports/abstracts/2010/2010-03.html -- please contact me for a copy of a second paper. The second is more efficient, and requires less stringent assumptions. Cheers,Markus
Flag comment  |  Permalink Reply
Anonymous 1 year ago
How fast is the screening? Is this really something you can do every time you establish an SSL connection?
Flag comment  |  Permalink Reply
Anonymous 1 year ago in reply to Anonymous
The speed depends ultimately on the amount of RAM that has to be screened and the processor speed. For a 600MHz processor and 256 Megs of RAM, the fast version (second paper) takes below a second if the client and verifier communicate by 3G or WiFi. The exact speed depends on the network latency. Speed is not a big problem here. The most annoying aspect may be that one has to swap out all processes -- or at least deactivate them. This means that you cannot keep a phone call going while you do the scanning, for example. However, you can do it as part of accessing a webpage. The server would not complete the SSL setup until the verification completed. So yes, you can do it for every SSL connection. It will add a delay of similar magnitude as the setting up of the SSL connection itself. Cheers,Markus
Flag comment  |  Permalink Reply
Anonymous 1 year ago
"Defending against adversarial strategy 4 – modify detection code. The security against adversarial strategy 4 follows directly from assumption 2 (code optimality), with the exception of a “kamikaze strategy” in which the adversary corrupts the execution of some of the steps (as described in section 3), and then willingly loads legitimate code and removes itself. Such an adversary could only corrupt step 1 of the process, as it will have to be overwritten during step 2 to avoid detection. Moreover, it needs to correctly perform the setup in step 1; this means that the only harm it can do is to cause an incorrect state to be swapped out in step 1. It can write anything it wants to to swap space. It can place a copy of itself in the swap space, or a copy of a legitimate but vulnerable application, with an input triggering an opportunity for malware to be loaded. However, the swap space will be scanned along with all other memory during step 5, and any known malicious configuration will be detected."Why will it have to be overwritten in stage 2? The malware can simply emulate your expected output. In fact all it needs is to simulate execution of your code. A possible counter to this is to modify the detection algorithm every time. But this is not possible, since, according to your paper, it must be optimal. There are only so many optimal versions. It is simply a race between how many different versions can be put out there, and how quickly malware writers mimic your code.However, if your code is different all the time, then that implies that you will be loading up different blocks of code in privileged mode. Since the malware will intercept this code, and attempt to determine if it can emulate it, then your clock starts not when you begin checking ram, but when you *load* the code. Which means the code must load and run instantly. And that, in turn, means that the device itself is insecure: how does the user say "I accept this piece of new kernel code that is to run with full permissions?"Just asking this question is when the malware begins to get ready for duping your code. If this question is never asked, then any device that supports your software is open to pwnage by anyone with the protocol.There is no way your code can run instantly, without creating a new vector through which malware can attack.
Flag comment  |  Permalink Reply
Anonymous 1 year ago in reply to Anonymous
Hi Lalala, Thanks for taking the time to read the first paper. Please take a moment to read the second one, too. The code optimality assumption is no longer needed there, and your concerns -- I believe -- would be addressed. Drop me a line to discuss more; or post a follow-up. You clearly understand the issues well, and I want to make sure you see the subtleties, and why this actually avoids the problem you are concerned with.Cheers,Markus
Flag comment  |  Permalink Reply
Anonymous 1 year ago
It wouldn't take more than a high schooler with reading comprehension abilities to point out that most of the commenters here are not only not reading the many times referenced whitepaper, but also not even reading the whole comment thread. Seriously, people, only respond to something that you're sure you have the knowledge context to address, or at least don't bring up the same thing just a page scroll down from someone else.Markus is apparently too nice to have said this explicitly. It's kind of painful to read, actually.Now I'll shut up and read because I know I don't grok this yet. (All Socratic-like)
Flag comment  |  Permalink Reply
Anonymous 1 year ago
How do you detect a rogue antivirus program that the user insists is working great and wants to keep it because he refuses to recognize that he threw away $50?
Flag comment  |  Permalink Reply
Anonymous 1 year ago in reply to Anonymous
Well, if having the rogue AV program prevents the consumer from wanting to use our technique, there is not much you can do -- unless the consumer's bank, employer, etc., mandates the use. But if the consumer runs our detection program, the rogue AV program will be detected -- at that point, it is no different from other active malware with kernel-level access. Which we deal with.Cheers,Markus
Flag comment  |  Permalink Reply
Anonymous 1 year ago
You forgot to consider the option where the malware hides within the kernel, as rootkit can do. In this scenario, scanning the non-kernel RAM would be usefless.
Flag comment  |  Permalink Reply

Add a comment

Post a comment using one of these accounts
Or join now
At least 6 characters

Note: Comment will appear soon after you have activated your account.
Obscene/spam comments will be removed and accounts suspended.
The information you submit is subject to our Privacy Policy and Terms of Service.

ITworld LIVE

SecurityWhite Papers & Webcasts

White Paper

Overcome Top 7 Admin Challenges of Active Directory

As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable, enforceable processes that reduces administrative overhead and enables robust, customizable reporting and auditing capabilities. Brought to you by NetIQ.

White Paper

Insiders Can Ruin Your Company. Take Action.

Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in organizations worldwide. This white paper from NetIQ, discusses key technology solutions that help to prevent and detect insider threats.

White Paper

Top Solutions and Tools to Prevent Devastating Malware

Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring (FIM) tools that provide immediate alerts. This white paper has been brought to you by NetIQ, the leader in solving complex IT challenges.

White Paper

Streamline Compliance and Increase ROI

Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will help your business gain the maximum return on investment possible while aligning your compliance programs.

White Paper

X-Ray of the PCI Process-4 Proactive Steps

This white paper from Forrester Research Inc., helps break PCI into understandable components. Security and risk professionals will gain knowledge and insight into creating a compliant and secure IT environment. Follow these four proactive steps now before your next audit. Brought to you by NetIQ.

See more White Papers | Webcasts

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join Now

New questions

How to distribute apps to mobile employees?
3 answers
Why do VoIP calls over WiFi still get counted as "minutes used" by mobile providers?
0 answers
Which is better for password security, length or complexity?
2 answers
What are the chances that the cloud will kill off the PC?
2 answers
Where can I find tech services providers that focus on really small businesses?
0 answers
View more questions

Ask a question

Join Now or Sign In to ask a question.
Ask a Question