Every day we read about new powerful variants of malware of increasing complexity, they are used in fraud schemas by cyber criminals and in cyber attacks during state sponsored operations in cyber warfare scenarios.
This malicious software presents a wide range of purposes and functionalities, they are used to steal information or to destroy control systems, but all are united by the possibilities to immunize the infected victims one the agent is discovered.
Researcher Jonathan Brossard has proposed, at last At the Black Hat security conference in Las Vegas, a new strain of malware that’s quite impossible to disinfect once compromised the victim host.
Brossard has named his agent “Rakshasa”, defining it a “permanent backdoor” hard to detect, and quite impossible to remove.
It must be clear that the researcher hasn’t found a new vulnerability but he has demonstrated how much hard is to detect a backdoor that use similar mechanism of infection. “It’s a problem with the architecture that’s existed for 30 years. And that’s much worse.”
The abstract demonstrate that permanent backdooring of hardware is certainly feasible Rakshasa in fact is able to compromise more than a hundred of different motherboards.
How does Rakshasa work?
Rakshasa malware infects the host’s BIOS takes advantage of a potentially vulnerable aspect of traditional computer architecture, any peripheral like a network card or a sound card can write to the computer’s RAM or to the small portions of memory allocated to any of the other peripherals.
First the malware disable permanently Security Features such as NX, a feature important for protection mechanism against malware, viruses, and exploits, it also remove fixes for System Management Mode (SMM), it is an operating mode in which all normal execution (including the operating system) is suspended and special separate software, usually firmware or a hardware-assisted debugger, is executed in high-privilege mode.
With these fews steps the attacker has sensibly reduced the security of the machine, at this point the malware complete the erasing of hard disks installing new a new operating system.
The researcher also added:
“We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort.”
The name assigned to the malware is the same of a mythological demon or evil spirit of Hinduism, known for the habit of owning human beings, famous for the ability to change appearance and do magic, exactly as the malware does with its victims.
Due the mechanism of infection in order to sanitize the pc it’s necessary to flash all the devices simultaneously to avoid that during the disinfection of a single device is affected by the other compromised components.
Brossard declared
“It would be very difficult to do. The cost of recovery is probably higher than the cost of the laptop. It’s probably best to just get rid of the computer.”
Rakshasa has been developed with open source BIOS software, including the Coreboot project and Sea BIOS, thanks to the compatibility with majority of hardware it’s hard to detect it.
When the machine boots up the malware download all malicious code that it need, of course it disable the resident antivirus and store the code in memory avoiding to leave trace on the hard disk that could give evidence of the infection.
The most important issue regarding Rakshasa malware is not related to its capabilities of infect the victims randomly, but Brossard alerted the scientific community on the possibility to use the agent as backdoor in the hadware. In many case it has been raised the doubt on the possible presence of a backdoor inside Chinese device especially in telecommunication.
The hardware qualification it a serious problem, let consider the impact of a compromised device in a military environment or in a massive distribution of technological system of large diffusion.
The researcher reports:
“The whole point of this research is to undetectably and untraceably backdoor the hardware,”
“What this shows is that it’s basically not practical to secure a PC at all, due to legacy architecture. Because computers go through so many hands before they’re delivered to you, there’s a serious concern that anyone could backdoor the computer without your knowledge.”
Intel company reviewing the paper proposed by Brossard declared
“there is no new vulnerability that would allow the landing of the bootkit on the system.” The company’s statement argues that it wouldn’t be possible to infect the most recent Intel-based machines that require any changes to BIOS to be signed with a cryptographic code. and it points out that Brossard’s paper “assumes the attacker has either physical access to the system with a flash programmer or administrative rights to the system to deliver the malware. In other words, the system is already compromised with root/administrative level access. If this level of access was previously obtained, a malicious attacker would already have complete control over the system even before the delivery of this bootkit.”
The abstract is really interesting, we always discuss about the theoretical existence of a backdoor in Chinese devices and the proof of concept gives more information on how a backdoor works and how much hard is to detect if it is implanted directly the production process with cyber espionage intent.
The case introduced by the researcher gives the opportunity to discuss again on the possibility to develop a secret and efficient backdoor, a deadly cyber weapon that every government is dreaming. Of course we are spoken of backdoor that could be introduced only simply by manufactures that’s why in every cyber strategy the problem of the qualification of the security level of the appliances is crucial, the main problem is to be able to discovery similar backdoors also in product that daily invade our markets.
Pierluigi Paganini