Knowing there's such a thing as invisible malware that's beyond the reach of your anti-malware software is scary enough. But what about when you learn that, even if you do locate this stuff, you might not be able to get rid of it? Unfortunately, depending on the type of hardware-based malware we're talking about, that might well be the case.
Continue Reading Below
I already wrote last week about the problem of invisible malware, which can exist in your computer's Basic Input/Output System (BIOS) and can harbor virtual rootkits. These rootkits can then quietly take over your servers, desktops, or other devices. Because they exist in hardware, your endpoint protection or other anti-malware packages generally can't see them. In fact, you might never know you're infected until your data shows up for sale after a breach.
Fortunately, experts have found ways this invisible malware can be revealed, but as if the bad guys are keeping pace, there are also new ways it to be installed. Still, the task of finding it is made somewhat easier. For example, a new vulnerability in Intel processors called "ZombieLoad" may be attacked through exploit code delivered in software. This vulnerability may allow the insertion of malware in a computer's BIOS remotely.
While researchers are still studying ZombieLoad, trying to determine the extent of the problem in this latest round of Intel exploits, the fact is that such hardware exploits can extend throughout the enterprise. "Firmware is programmable code sitting on a chip," explains Jose E. Gonzalez, co-founder and CEO of Trapezoid. "You have a bunch of code on your system that you're not looking at."
Exacerbating this problem is the fact that this firmware can exist all over your network, in devices ranging from webcams and security devices to switches and routers to the computers in your server room. All of them are essentially computing devices, so any of them can harbor malware holding exploit code. In fact, just such devices have been used to launch denial-of-service attacks (DoS attacks) from bots based in their firmware.
Trapezoid 5 is able to detect the presence of firmware-based malware through a unique system of watermarks that cryptographically ties each device's firmware to any hardware on which it's ever run. This includes virtual devices, including virtual machines (VMs) located either on premises or virtual Infrastructure-as-a-Service (IaaS) being run in the cloud. These watermarks can reveal whether anything in the device's firmware has changed. Adding malware to the firmware will change it so that the watermark is invalid.
Trapezoid includes a Firmware Integrity Verification Engine that helps spot problems in the firmware, and allows the security staff to examine them. Trapezoid also integrates with many security policy management and reporting tools so that you can add appropriate mitigation strategies for infected devices.
Alissa Knight specializes in hardware security issues. She is the Senior Analyst at The Aite Group and the author of the upcoming book Hacking Connected Cars: Tactics, Techniques, and Procedures. Knight said that IT professionals looking to scan for invisible malware will likely need a tool such as Trapezoid 5. Nothing less specialized will do. "There's a fundamental aspect of backdoors that make them hard to detect because they wait for certain triggers to wake them up," she explained.
Knight said that, if such a backdoor exists, whether it's part of a malware attack or exists for some other reason, then the best you can do is to keep them from operating by keeping them from detecting their triggers. She pointed to Silencing Hardware Backdoors, a research report by Adam Waksman and Simha Sethumadhavan, both of the Computer Architecture and Security Technology Lab, Department of Computer Science at Columbia University.
Waksman and Sethumadhavan's research shows that these malware triggers can be prevented from working by three techniques: First, a power reset (for memory resident malware and time-based attacks); second, data obfuscation; and third, sequence breaking. Obfuscation involves encrypting data going into inputs can keep the triggers from being recognized, as can randomizing the command stream.
The problem with these approaches is that they can be impractical in an IT environment for all but the most critical implementations. Knight pointed out that some of these attacks are more likely to be conducted by state-sponsored attackers than by cybercriminals. However, it's worth noting that those state-sponsored attackers do go after small to midsize businesses (SMBs) in an attempt to get information or other access to their ultimate targets, so SMB IT pros can't simply ignore this threat as being too sophisticated to apply to them.
Preventing Malware from Communicating
However, one strategy that does work is preventing the malware from communicating, something that's true for most malware and backdoors. Even if they're there, they can't do anything if they can't be turned on or if they can't send out their payloads. A good network analysis appliance can do this. "[Malware] needs to communicate with home base," explained Arie Fred, Vice Presisent of Product Management at SecBI, which uses an artificial intelligence (AI)-based threat detection and response system to keep malware from communicating.
"We use a log-based approach using data from the existing devices to create full scope visibility," Fred said. This approach avoids the problems created by encrypted communications from the malware, which some types of malware detection systems can't catch.
"We can do autonomous investigations and automatic mitigations," he said. This way, suspicious communications from a device to an unexpected destination can be tracked and blocked, and that information can be shared elsewhere on the network.
Deleting Hardware-based Malware
So you've perhaps found some invisible malware, and perhaps you've managed to block it from carrying on a conversation with its mothership. All good, but what about getting rid of it? Turns out this isn't just difficult, it may well be impossible.
Of those cases in which it is possible, the immediate cure is to reflash the firmware. This may eliminate the malware, unless it came through the device's own supply chain, in which case you'd just be reloading the malware.
If you do reflash, then it's also important to watch your network for signs of reinfection. That malware had to get into your hardware from somewhere, and if it didn't come from the manufacturer, then it's definitely possible the same source will send it again in order to reestablish itself.
What this boils down to is more monitoring. That'd be continuing to monitor your network traffic for signs of malware communications as well as keeping tabs on your various device firmware installations for signs of infection. And if you're monitoring, perhaps you can find out where it's coming from and eliminate that as well.