Meet 'Rakshasa,' The Malware Infection Designed To Be Undetectable And Incurable

Meet 'Rakshasa,' The Malware Infection Designed To Be Undetectable And Incurable

news.hitb.org

Malicious software, like all software, gets smarter all the time. In recent years it’s learned to destroy physical infrastructure, install itself through Microsoft updates, and use human beings as physical “data mules,” for instance. But researcher Jonathan Brossard has innovated a uniquely nasty coding trick: A strain of malware that’s nearly impossible to disinfect.

(visit the link for the full news article)


Related News Links:
w ww.forbes.com
www.toucan-system.com

The malware name comes from a mythological 'demon' or 'unrighteous spirit' in Hindu or Buddhist religion. (Rakshasas are notorious for disturbing sacrifices, desecrating graves, harassing priests, possessing human beings, and so on. Their fingernails are venomous, and they feed on human flesh and spoiled food. They are shapechangers, illusionists, and magicians.)

This can be one heck of a serious problem if the reporting is accurate.

The author/researcher , Jonathan Brossard, appears to have created a strain of malware that’s nearly impossible to disinfect.

Source

At the Black Hat security conference in Las Vegas Thursday, Brossard plans to present a paper on “Rakshasa,” a piece of proof-of-concept malware that aims to be a “permanent backdoor” in a PC, one that’s very difficult to detect, and even harder to remove.

This code seems to use a PC's own hardware as a persistent repository for re-infection.

.... Rakshasa infects the computer’s BIOS, the part of a computer’s memory that boots its operating system and initializes other system components. But it also takes advantage of a potentially vulnerable aspect of traditional computer architecture: Any peripheral like a network card, CD-ROM, or sound card can write to the computer’s RAM or to the small portions of memory allocated to any of the other peripherals. So Brossard has given Rakshasa the ability to infect all of them. And if the BIOS or network card is disinfected, for instance, it can be reinfected from any one of the other compromised components...

In a review by For bes - ever the mouthpiece for corporate might, they asked Intel about this theoretical malware:

A spokesperson for Intel, the company as close as any to being responsible for the architecture of modern PC hardware, says it’s reviewed Brossard’s paper, and dismisses it as “largely theoretical,” writing that “there is no new vulnerability that would allow the landing of the bootkit on the system.” The company’s statement argues that it wouldn’t be possible to infect the most recent Intel-based machines that require any changes to BIOS to be signed with a cryptographic code. and it points out that Brossard’s paper “assumes the attacker has either physical access to the system with a flash programmer or administrative rights to the system to deliver the malware. In other words, the system is already compromised with root/administrative level access. If this level of access was previously obtained, a malicious attacker would already have complete control over the system even before the delivery of this bootkit.”

Sounds like the famous "last words" of yet another over-confident industry proclaiming the glorious invulnerability of their "new and improved" technology.

Here is the text of the research paper for your consideration.


news.hitb.org
(visit the link for the full news article)

I'll end up reading the article(s) but I just want to know about this part "The author/researcher , Jonathan Brossard, appears to have created a strain of malware that’s nearly impossible to disinfect. " Why...? just why? I'm not too computer savy and with the way everything seems to be worded it's nothing similar to how we "prevent" viruses in that one figures out how they work. Since he seems to have made on that is undetectable and incurable...it still makes me wonder why then again that just makes me want to read those sources more..

reply to post by Maxmars

So this is just one they're telling us about. Wonder what else is already out there, or sitting on our hard drives right now waiting to be deployed?

And to MystiqueAgent:

There's tons of money in this. Unfortunately there are those who will be in the market...

reply to post by MystiqueAgent


Apparently this researcher has been pointing out a flaw int he architecture used by PC for decades. He has maintained that the 'standard' to which the industry designs computers gives rise to the vulnerability.

In my opinion, that's almost as if computer design 'required' the ability to be infected.... so there's one conspiracy angle for you

Intel and other mega corporations are collectively crafting these standards... they built their entire industry around them... and aside from the rogue "Apple" of days gone by (certainly lost it's exempt status, though), designing a different architecture was the kiss of death for your product... no third party company would support it....

the researcher may or may not be benign as far as the industry is concerned; but his point is clear.... why design a boat with a hole in it? So you can sell corks to stop the leak?

This is not theory, it is already happening, and has been for a couple of years, with the advent of windows seven and the culture of wanting operating systems for free, people were willing to visit a site and download a revised slic table and bios update that made your pc appear as though it had come from any one of the OEM builders.
The installation of the slic table then allowed you to introduce a crack for windows seven, that made it look as though the copy was a pre installed OEM version.

The crack was encrypted and contained within it was a bootkit that was bios resident, i was unfortunate to buy a second hand machine that contained this virus, as far as i know it is still on the bios, after multiple attempts to clean it by installing a new bios and overwriting the virus, it will not allow it to happen.
A copy of the virus i have also found in the host protected area of any of the disks i have used on this motherboard.

Even after a complete format, removing the ram and letting it charge dissipate, removing the bios battery, replace, reformat the drive, and begin again with a clean install, it still survives.

If anyone wants a copy of this for research purposes u2u me, ill give you the link where it is resident as a 3mb program, don't go and get it out of curiosity, only get it if you are serious about researching it.

reply to post by Maxmars


Ah thank you for that analysis Hmm.. now I'm rather curious about several other aspects at least in the technological aspects. Just have to wonder what other things will be thrown out (story wise) due to this new insight.

reply to post by The X


I wonder if you could degauss the hard drive and ram with an electromagnet?

I don't know but it would disrupt any magnetic disk?

So how does one find out if his/her machine is infected?

I'm skeptical.

And in any case. Nothing is undetectable.
The Malware would be sending out network traffic to communicate with a C&C server.
And that would mean there's a way to detect the traffic and nullify communication with that C&C server.

reply to post by The X


Actually you bring up a point. If they haven't already, and I haven't noticed, Microsoft should end its policy of requiring certified licenses to receive updates to OS's. Why? Because improved releases make for fewer defenseless systems that can turn into robots in an attack. We do not want a bunch of poorly configured machines with the last millennium's software controlling them.

The attacks of today and the future are not single machine attacks or even attacks aimed at disabling a bunch of individual's machines. Our machines are being infected and used in massive botnet attacks utilizing command and control servers to direct the armies of drone machines that have been hijacked by malware. Low capability, out of date machines are the most vulnerable to be slaved into such attacks.

I think Intel was whistling past the graveyard with their comments. Obviously things are getting tighter but that just weeds out the garden variety cracker. Given enough time and money, everything can be cracked and frankly, I'm suspicious that everything has at least enough hidden flaws in it to be brought down in a national emergency.

reply to post by visualmiscreant


I don't know about the BIOS-resident rootkit that our friend The X is referring to, but this particular malware "Rakshasa" is not something that is "in the wild" so to speak. Or at least, I am hoping it is not in the wild.

Nevertheless, if there is something out there already working on the principles outlined int he paper... finding it will be only a small part of the fix. And perhaps we really can't find it....because of the way it's distributed in the hardware.... good question! Wish I really knew an answer.

Originally posted by visualmiscreant
So how does one find out if his/her machine is infected?

What made me aware that something was wrong was this.
When i went to install a clean OS, when you put the disk in and set the bios to boot from cd/rom, as the disk first picks up and the data is read, you see a white bar appear on the bottom of the screen, and in around 2 seconds in jumps of around 33% of the bar it fills up, vanishes, to be replaced by the normal white windows loading bar that shows you the basics of the OS are being loaded to ram disk.
There should only be one of these bars, it is very easy to miss, and it took me some time to get to grips with what was happening, it looks so normal.
The first bar is showing the progress of the infection being pulled from bios into ram space before the rest of the ram disk for the OS is loaded.
At this point, if your drive was clean, it becomes infected.

reply to post by Maxmars

At the moment I'm still using XP, just because of the familiarity. Also I only have 512mb memory at the moment. However, I have installed shall we say, questionable versions of Vista and Seven on this machine in the past just to demo them. The deal is, if the version I installed had the virus and infected the machine, it appears that I could still have the problem on XP.

I'm not saying I have any problems; in fact everything has been smooth for quite awhile.

At times I use a hard drive with MacPup on it as well. Am I safe in assuming that the infection does not affect Linux Distributions?

reply to post by The X

Wow. Seems like it would have been better not to echo the progress bar when they designed this. Unless perhaps they needed this to "diagnose" newly infected machinery....

Originally posted by grey580
I'm skeptical.

And in any case. Nothing is undetectable.
The Malware would be sending out network traffic to communicate with a C&C server.
And that would mean there's a way to detect the traffic and nullify communication with that C&C server.

"I'm skeptical."
Me too. Sounds like scare tactics to me.

Bios infection used to happen years ago but now most bios chips are protected, some even keep a backup on a second chilp thats not write enabled.

As to the reference above about formatting to remove a virus, that will remove some but ideally you need to delete the partition (primary and any secondary) and rewrite the boot sectors, then do a full(slow) format. Your windows install disk can do this for you.

Originally posted by The X

What made me aware that something was wrong was this.
When i went to install a clean OS, when you put the disk in and set the bios to boot from cd/rom, as the disk first picks up and the data is read, you see a white bar appear on the bottom of the screen, and in around 2 seconds in jumps of around 33% of the bar it fills up, vanishes, to be replaced by the normal white windows loading bar that shows you the basics of the OS are being loaded to ram disk.

What happens if you install a different OS? Does the same odd bar show up if you install Linux from a cdrom? Does the boot sector get infected with a different OS installed?

I just wonder if the infection is OS specific or is somehow related to your Windows installation media. Have you used the Windows installation media on other hardware without an infection showing up?

reply to post by visualmiscreant


It's only my opinion, but I don't think you need to fear much about this kind of thing. It's not that it couldn't happen; but unless you see a specific peculiarity in the way your machine is working, or if you appear to be flooding your network even when you aren't doing anything, there's no reason to suspect.

presumably you use one of the many anti-virus programs, and maybe even the firewall that comes with windows; for most users, that should suffice. As I tell my children, "keep your nose out of trouble, and no trouble will come to you." stay with trusted sites, legitimate software, and safe computing habits (restrict admin rights, no haxor, cracks,or such.), and you are unlikely to be the victim of malware.... but remember - it's in the nature of the beast... malware can 'find you'... so stay alert.

computer viruses make me laugh.

they can be defeated by pressing the power button to off on your desk top.

Originally posted by Maxmars

The malware name comes from a mythological 'demon' or 'unrighteous spirit' in Hindu or Buddhist religion. (Rakshasas are notorious for disturbing sacrifices, desecrating graves, harassing priests, possessing human beings, and so on. Their fingernails are venomous, and they feed on human flesh and spoiled food. They are shapechangers, illusionists, and magicians.)

And the fantasy version - is completely resistant to magic in DnD if I remember correctly - which is even more significant in that it implies the virus' resistance to being cleaned or removed.

So, all-in-all they chose a very apt name for the malware.

Sidenote - the DnD version is able to mimic (shapechange) so that it "appears" as a different race/kind.