Stealth Mode Malware

March 8, 2008 – 5:59 PM

Makers of antispyware and antivirus programs, pay attention to this article.

An ugly trend is developing in the world of antispyware. It is my belief that, very soon, all current tools and methods used to detect and remove malware will become obsolete. Very soon, malware will be able to load at start up and run on the computer without being detected by any existing scanner.

It is starting to happen already. More and more often, browser hijackers today use rootkit technology to protect themselves. I have run into it myself on my test computer and it was all I could do to remove it.

A rootkit-protected hijacker uses any of various methods to alter how Windows operates. Once the rootkit is operational, it is able to monitor system queries and filter out anything that mentions itself. For instance, let’s say that file abcxyz.exe hijacks all browser home and search settings, keeps them from being changed back and pops up advertisements every 90 seconds. If it is protected by a rootkit and you open the folder containing the file, the rootkit will prevent Windows Explorer from displaying the file. If you open the Task Manager, abcxyz.exe will not be shown as a memory process.

This is how it works today and it gives us plenty of trouble when trying to help someone fix it. However, the tools we use today allow us to spot the existence of abcxyz.exe. It has to load when the computer starts, so HijackThis will show us the registry entry that causes it to be loaded. We can find the infection. We just have a hard time explaining to someone how to find it and remove it.

I see trouble ahead. It is only a matter of time before some miscreant designs a better rootkit. I believe that rather than simply hiding a file from Windows Explorer and the Task Manager, future rootkits will be able to provide malware designers with true stealth mode.

Imagine this for a moment. A flaw is discovered in Internet Explorer which allows any piece of software to be executed. Exploiting this flaw, the installer for a truly clever malware is downloaded and executed. The first thing that happens is the installation of an advanced rootkit. This rootkit injects itself directly into the Windows kernel, bypassing all higher-level functions.

A registry entry is written which loads abcxyz.exe as a Windows Service. A service will load whether anyone is logged onto the computer or not and is more difficult to remove than a program installed normally. The abcxyz.exe file is loaded into memory. Every 90 seconds afterward, ads begin to pop up. Realizing that something is wrong, the user goes looking for the culprit. This is where he is going to run into trouble in the near future.

The first thing he does is to perform a scan with his antispyware program. All antispyware programs look for spyware in the same manner. They search the hard drive looking for files known to belong to malware. They ask Windows for a list of processes running in memory, then look to see if any of those are bad guys. They look at the registry to see what is loading at start up and to check for toolbars or BHOs installed into Internet Explorer. This is where they are going to fail when confronted with an advanced rootkit and a stealthed malware.

The rootkit is sitting in memory, monitoring every system query that passes through the kernel. When the antispyware scanner asks Windows for a list of running processes, the rootkit filters out abcxyz.exe. When the scanner asks for a listing of files, it filters it out again. When the scanner is looking at the registry, the rootkit filters out the entry that shows abcxyz.exe loading as a service. Seeing nothing suspicious, the antispyware scanner reports that all is well.

The user goes to our message board and asks for help. He is told to download HijackThis, run a scan and post the contents of his log file. He does this and waits for a response.

The advantage of HijackThis over antispyware scanners is that anything not installed as part of Windows will be shown, whether it is malware or not. However, it depends on Windows to give it this information. With the advanced rootkit running at the kernel level, no information about the malware is passed onto HijackThis. The user’s log file will be perfectly clean.

This is the threat we soon will be facing. No matter how good a scanner may be, it depends on receiving accurate information from Windows to detect malware. With the advanced rootkit running, Windows is made to lie. Windows itself cannot be trusted to deliver accurate information about the contents of memory or of the hard drive. The malware is running in true stealth mode. Ask Saddam how well his air defenses fared against US Air Force stealth fighters and you see the problem. Or, more accurately, you don’t see it.

So, if Windows cannot be trusted to provide the information we need, how are we going to track down malware? The answer to this, thankfully, is very simple. You need to look at the hard drive from another operating system.

No, I am not saying that the poor user has to set up his computer to dual boot Linux and Windows. There is a small program out there called BartPE that already does exactly what we need.

What is BartPE and PE Builder?

Bart’s PE Builder helps you build a “BartPE” (Bart Preinstalled Environment) bootable Windows CD-Rom or DVD from the original Windows XP or Windows Server 2003 installation/setup CD, very suitable for PC maintenance tasks.

It will give you a complete Win32 environment with network support, a graphical user interface (800×600) and FAT/NTFS/CDFS filesystem support. Very handy for burn-in testing systems with no OS, rescuing files to a network share, virus scan and so on.

Run BartPE, along with a plug-in that allows BartPE to load any registry hive found on a hard drive, and we are back in business. With BartPE running, you are not using the infected copy of Windows which sits on the hard drive. That means that any scanner used to search the hard drive will be receiving accurate information. Now, when our user runs his spyware scanner or HijackThis, the rootkit will not be able to hide itself or the malware.

So, this is my message to the antispyware and antivirus vendors out there: you need to rewrite your scanner programs to provide the ability to run in a “non-Windows environment”. Your scanners need to have the ability to edit the file system and load the registry without Windows itself having been loaded. Pretty soon, you will not be able to depend on Windows giving your scanners accurate enough information to be of any use.

BartPE can be licensed for commercial use. Or you can build something similar yourself. BartPE basically is just an offshoot of the Windows Preinstallation Environment. Someone already in the business of writing software should have no problem creating a custom version of the Windows PE.

When your software is installed, you simply prompt the user to insert a CD, DVD or flash drive and copy the files needed to run the “non-Windows environment”, as well as your scanner. You even might be able to boot it up right from the hard drive, the same way disk imaging and partitioning software do. Scanning in this way can be an additional option, right next to “Quick Scan” and “Full Scan”.

I am going to be playing with BartPE in the near future to see how well it works with HijackThis and some of the other tools regularly used at the SpywareInfo forums. We may well end up having to ask people to download BartPE and run HijackThis from outside of Windows. Before much longer, that may be the only way to find the more clever malware out there.,2005#stealth

You must be logged in to post a comment.