Home Business IT Security New generation malware for PCs and routers could be very persistent

New generation malware for PCs and routers could be very persistent

Security researchers warn that the firmware in PCs and routers could be subverted for nefarious purposes.

Malware for PCs is an established part of life. Keeping the operating system and applications up to date helps (a vulnerability that's been removed can't be exploited), as does decent security software.

And if the worst comes to the worst, there's always the possibility of completely wiping the hard drive and starting from scratch.

But a security researcher has shown that a small malware loader can be concealed in the BIOS or other firmware built into a PC.

If multiple pieces of firmware (eg in the network card as well as the BIOS) were subverted in this way, the malware could even survive replacement of the BIOS.

Jonathan Brossard demonstrated this approach at the recent Black Hat conference in the US. The routine hidden in the BIOS connects to a remote server to fetch the code that does the dirty work.

Unlike conventional malware, this leaves no trace on the hard drive for later analysis as the rogue code is freshly downloaded each time.

It is possible that network monitoring tools could detect this unusual traffic, but apparently only a small amount of data needs to be transferred.

The fear is that a manufacturer or some other player in the supply chain - perhaps under pressure from its home government - might build malware like Brossard's into PCs destined for particular countries or even specific customers.

In this scenario, he points out that TPM would provide no protection as the code is already present when the configuration is sealed.

In fact, TPM would protect the malware from removal after deployment - if the BIOS or other firmware was replaced, TPM would prevent boot-up.

Furthermore, he notes that this approach means a skilled individual could create a "nation state quality" backdoor.

And if that's not enough, he suggests the architecture he proposes could be used to create a botnet that "can literally not be shut down."

Mr Brossard's research paper is available here.

Talking of firmware and botnets, another researcher has released a tool that is capable of remotely replacing the firmware in a number of popular SOHO routers.

This could be used to create persistent botnets, warned researcher Michael Coppola, who was one of the presenters at the recent Defcon conference.

The problem is that most SOHO routers allow remote administration, and just about all have a mechanism for updating the firmware.

If the administration username and password is left in its default state, this allows an attacker to replace the firmware.

Mr Coppola's rpef (Router Post-Exploitation Framework) tool provides a way of remotly replacing the firmware on certain Netgear, Linksys, TrendNet, D-Link and Belkin routers.

Among the payloads supported by rpef is a botnet client capable of performing various actions on command, including denial of service attacks.

Even if a router's credentials have been changed, there are other ways of getting in. These include brute force attacks (How long is your router's password? Is it a dictionary word?) or specific exploits.

Unfortunately for users, disabling remote administration access is not sufficient. It has been known for some time that it is possible to use JavaScript and other technologies to 'persuade' a computer on the LAN side of a router to access the router's web interface.

This is relatively straightforward if the router's administration credentials haven't been changed.

Once an attacker has gained access to the router's web interface, it's not difficult to replace the firmware with a hacked version.

Phil Purviance and Joshua Brashars gave a presentation to the Black Hat conference that showed how JavaScript could be combined with HTML5 to replace a router's firmware when a malicious webpage is opened in a browser, without any further user interaction.

Once a router has been flashed with malicious firmware, it is unlikely to be detected and the malware will most likely keep running until the owner updates the firmware with a new release from the device vendor.

Since many owners don't bother to check for updates as long as their router seems to be working properly, the malware could be present for the rest of the device's life.


Did you know: Key business communication services may not work on the NBN?

Would your office survive without a phone, fax or email?

Avoid disruption and despair for your business.

Learn the NBN tricks and traps with your FREE 10-page NBN Business Survival Guide

The NBN Business Survival Guide answers your key questions:

· When can I get NBN?
· Will my business phones work?
· Will fax & EFTPOS be affected?
· How much will NBN cost?
· When should I start preparing?


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.