(visit the link for the full news article)
Malicious software, like all software, gets smarter all the time. In recent years it’s learned to destroy physical infrastructure, install itself through Microsoft updates, and use human beings as physical “data mules,” for instance. But researcher Jonathan Brossard has innovated a uniquely nasty coding trick: A strain of malware that’s nearly impossible to disinfect.
At the Black Hat security conference in Las Vegas Thursday, Brossard plans to present a paper on “Rakshasa,” a piece of proof-of-concept malware that aims to be a “permanent backdoor” in a PC, one that’s very difficult to detect, and even harder to remove.
.... Rakshasa infects the computer’s BIOS, the part of a computer’s memory that boots its operating system and initializes other system components. But it also takes advantage of a potentially vulnerable aspect of traditional computer architecture: Any peripheral like a network card, CD-ROM, or sound card can write to the computer’s RAM or to the small portions of memory allocated to any of the other peripherals. So Brossard has given Rakshasa the ability to infect all of them. And if the BIOS or network card is disinfected, for instance, it can be reinfected from any one of the other compromised components...
A spokesperson for Intel, the company as close as any to being responsible for the architecture of modern PC hardware, says it’s reviewed Brossard’s paper, and dismisses it as “largely theoretical,” writing that “there is no new vulnerability that would allow the landing of the bootkit on the system.” The company’s statement argues that it wouldn’t be possible to infect the most recent Intel-based machines that require any changes to BIOS to be signed with a cryptographic code. and it points out that Brossard’s paper “assumes the attacker has either physical access to the system with a flash programmer or administrative rights to the system to deliver the malware. In other words, the system is already compromised with root/administrative level access. If this level of access was previously obtained, a malicious attacker would already have complete control over the system even before the delivery of this bootkit.”
Originally posted by visualmiscreant
So how does one find out if his/her machine is infected?
Originally posted by grey580
And in any case. Nothing is undetectable.
The Malware would be sending out network traffic to communicate with a C&C server.
And that would mean there's a way to detect the traffic and nullify communication with that C&C server.
Originally posted by The X
What made me aware that something was wrong was this.
When i went to install a clean OS, when you put the disk in and set the bios to boot from cd/rom, as the disk first picks up and the data is read, you see a white bar appear on the bottom of the screen, and in around 2 seconds in jumps of around 33% of the bar it fills up, vanishes, to be replaced by the normal white windows loading bar that shows you the basics of the OS are being loaded to ram disk.
Originally posted by Maxmars
The malware name comes from a mythological 'demon' or 'unrighteous spirit' in Hindu or Buddhist religion. (Rakshasas are notorious for disturbing sacrifices, desecrating graves, harassing priests, possessing human beings, and so on. Their fingernails are venomous, and they feed on human flesh and spoiled food. They are shapechangers, illusionists, and magicians.)