In the first article in this series, we did a brief overview that explained backdoor hardware attacks and the potential threats they represent, and the second article covered the means and motivations behind hardware attacks and highlight a couple of case studies. This next installment looks at the dreaded Rakshasa malware.
Backdoors are usually supported by software. Flaws, including bugs, are common in software that runs on most devices. Fortunately, this type of backdoor is easier to detect and immunize.
Last year, researcher Jonathan Brossard mentioned during the Black Hat security conference in Las Vegas, that a new strain of malware is nearly impossible to remove once it compromises a device. Brossard named his agent “Rakshasa“, defining it a “permanent backdoor” that’s hard to detect, and nearly impossible to remove.
It’s clear that he didn’t find a new vulnerability, but demonstrated how much harder is to detect that type of backdoor. “It’s a problem with the architecture that’s existed for 30 years. And that’s much worse.”
The abstract demonstrates that permanent backdooring of hardware is possible. Rakshasa is able to compromise more than a hundred different motherboards. The impact could be devastating. Rakshasa malware infects the host BIOS, taking advantage of a potentially vulnerable aspect of traditional computer architecture. Any peripheral, such as a network card or a sound card can write to the computer’s RAM or to smaller portions of memory allocated to any of the other peripherals.
First, there are backdoor disabling features such as NX, essential for protection against malware, viruses, and exploits. It also removes fixes for System Management Mode (SMM), in operating mode in which all normal execution (including the operating system) is suspended and special software, usually firmware or a hardware-assisted debugger, and is executed in high-privilege mode.
With these few steps, the attacker has properly compromised security of the machine, allowing malware to completely erase hard disks and install a new operating system.
“We shall also demonstrate that preexisting work on MBR subverts such as bootkiting and preboot authentication software brute force can be embedded in Rakshasa with little effort.”
Due the mechanism of infection, in order to sanitize a PC, it’s necessary to flash all the devices simultaneously to avoid that happening during a disinfection of a single device. That’s because it could affected by other compromised components.
“It would be very difficult to do. The cost of recovery is probably higher than the cost of the laptop. It’s probably best to just get rid of the computer.” said Brossard.
Rakshasa has been developed with open source BIOS software, including the Coreboot project and Sea BIOS, and because of their compatibility with most hardware, it’s hard to detect.
When the machine boots up, malware downloads all the malicious code it needs. Of course it disables the resident antivirus and stores the code in memory. In doing so, it avoids leaving traces on the hard disk that could be detected as infectious.
The most important issue about Rakshasa malware isn’t related to how it can infect victims randomly. But Brossard alerted the scientific community to the possibility of using it as a backdoor in hardware. In many cases doubt has been raised about if backdoors are present in Chinese devices, telecommunications in particular.
Hardware qualification is a serious problem. Let’s consider the impact of a compromised device in a military environment, or in any large systems.
“The whole point of this research is to undetectably and untraceably backdoor the hardware. What this shows is that it’s basically not practical to secure a PC at all, due to legacy architecture. Because computers go through so many hands before they’re delivered to you, there’s a serious concern that anyone could backdoor the computer without your knowledge.”
In a paper for Intel, Brossard said:
“There is no new vulnerability that would allow the landing of the bootkit on the system.” The company’s statement argues that it wouldn’t be possible to infect the most recent Intel-based machines that require any changes to BIOS to be signed with a cryptographic code. and it points out that Brossard’s paper “assumes the attacker has either physical access to the system with a flash programmer or administrative rights to the system to deliver the malware. In other words, the system is already compromised with root/administrative level access. If this level of access was previously obtained, a malicious attacker would already have complete control over the system even before the delivery of this bootkit.”
But the above scenario isn’t far from what could happen in a manufacturing plant that’s compromised by hackers.
About the Author: Pierluigi Paganini writes for Infosec Institute and is a security expert with over 20 years of experience in the field, including being a Certified Ethical Hacker. Paganini is Chief Security Information Officer for Bit4Id, a researcher, security evangelist, security analyst and freelance writer. He is the author of the books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”, and is also Editor-in-Chief at CyberDefense Magazine and Security Affairs.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Top Five Hacker Tools Every CISO Should Understand
- Five More Hacker Tools Every CISO Should Understand
- Security Response Part 1: Don’t Shoot the Messenger
- Your Enterprise Vulnerability Management Reality Check
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock