Virus Writers Look Ahead: Target 64-bit Windows

Ashcrow writes "A new virus, named W64.Shruggle.1318 by Symantec, is being 'tested' on AMD64 machines running 64-bit Windows. While it is not currently a danger to 64-bit Windows users, it does show that virus writers are looking toward the future. The exploitable software in questions is currently unreleased outside of beta. News.com has the full article."

Interesting.

[London+Bus]

I hadn't realised that there were sufficiently many fundamental changes to a 64-bit system as compared to a 32-bit system that meant that a virus written for one wouldn't work on the other. What's so different? How does a different integer or word size affect the functioning of a virus so greatly, when interoperability is such a priority?

Re:Interesting.

[random_culchie]

Well I'm sure its a concern when they are trying to cause stack overflows and the like.
Since the memory is shifted around in bigger chuncks they will have to readadjust their code to pump more useless data to reach the memory address they want.
Many exploits / worms are made with specific memory locations in mind inorder to inject malicious code into them.

Re:Interesting.

[dagoalieman]

As I understand it, and I hope if I'm wrong someone does so and gets a +5 mod... I'm going to be very general and semantic, I'm sure you'll see the point, but details as always are better. :)

While software is made to be compatible, and Windows has code written into it to help with compatibility, as well as the processors have extensions. Windows also has code in order to take advantage of the 64 bit processor abilities to their fullest. While there's compatibility options available, most of the code that Windows executes was made for 64bit CPU (I should say most of the *compiled* code... I'm not sure how much of a rewrite was needed for porting, as opposed to compiler changes.)

With new code comes new holes, obviously. And the same can be said for third party softwares- that new code which takes advantage of the processors to its fullest will have some new code (extending through compilation, of course).

I would say, though, it wouldn't surprise me to find out that the programs themselves are really quite incompatible, but the files themselves are written for maximum compatibility. Pop one in an email, and it works on a 32 bit based machine I mean.

As an aside, I wonder if this is an attack on AMD's compatibility, or 64 bit code in general.. I note that the article mentions AMD with specitivity, not Intel.

Re:Interesting.

[vi+(editor)]

A virus doesn't need any stack overflow as it spreads by the user executing infected programs.
The techniques you describe are usually used by worms.

Re:Interesting.

[Zeever]

Actually, those kind of attacks are precisely what the new NX bit (http://en.wikipedia.org/wiki/NX) tries to defeat. In IA32 pages in memory can be read and written, if they can be read, the can be executed (making possible the classic buffer overflow attack).
In AMD64 (and some other architectures) pages have one more permission: they can be read, written AND executed.. and pages in the data section of a program (where you store all dynamic data, variables, arrays, etc. and buffer overflow exploits) have the NX (not execute) bit set by default.

Beta testing

Where can I sign up for beta testing!?

Re:Beta testing

[Riktov]

With viruses, beta testing signs up for YOU!

Re:It makes me wonder....

[MoonFog]

The same CPU also gives AV software the same increase in speed etc. So it's just business as usual for AV, the war between the virus makes and the Anti-virus makes continues no matter what architecture the underlying structure has.

Re:It's a good thing

Burn them at stake! Lynch'em! Make them watch Liza Minelli!

Your humanitarian side is showing through. Please make them watch Liza Minelli first, not last.

Phew!

[MisterLawyer]

While it is not currently a danger to 64-bit Windows users, it does show that virus writers are looking toward the future.

Phew! I was worried that all those hordes of current 64-bit Windows users would be at danger.

This shows once again

that Windows is just targeted because it is so popular, not because of inherent security problems.

After all Windows 64-bit is allready installed on millions and millions of machines so it is only natural that hackers attack it instead of those few machines that run 64-bit Linux.

Oh, wait...

Nevermind.

conspiracy?

[rixdaffy]

Sometimes it is almost as if antivirus companies hire people to write all those "proof of concept" virusses, just to make sure that they don't loose any marketshare and they have another good reason to have their spread through press releases...

Ricardo.

Re:conspiracy?

[flonker]

Virus writers will frequently submit their own virus to the AV companies, to get it listed in the AV software. They don't release it into the wild, out of ethics, but they get some ego gratification and acknowledgement. When AV companies claim they detect a huge number of viruses, most of the viruses they detect have never been seen in the wild. It's a good thing too, as most viruses in the wild are very simple things. Some proof of concept viruses can be extremely hard to detect and remove.

Maybe this is a good thing.

[qualico]

"The virus supports vectored exception handling to avoid crashing during infections."

Maybe this is a good thing.
Those viruses will show developers how to write better code. :->

Seriously though, vulnerabilities will grow in proportion to the complexity of our systems.

oldschool

[prockcore]

This is an oldschool virus, it works by appending itself to the end of an .EXE, the Linux "proof-of-concept" viruses worked this same way.

MS actually has some safeguards to prevent this thing, but it could use some minor tweaks to make it even better.

I propose that XP should require you to create a user account by default.

I propose that all software should be distributed as .MSI files instead of .exe installers. (They work the same, double click the .MSI and it runs MS's Installer, but the MSI can't run arbitrary code.. it works like an RPM in this regard).

The installer should prompt for the Admin password and install the .exe so that only admin can write to it.

Any .exe not installed by the MS Installer should be marked as "dirty", and windows should refuse to run it.

This would prevent this type of virus. Coupled with XP64s support for NX, you'd actually have some semblance of security.

Re:oldschool

[prockcore]

The general public are stupid and would not even be able to handle that level of security! They'd want to know why their new mouse cursors can't be installed, why their IE search bar needs a password, etc, etc

Good. It's time for the general public to suck it up.

If the general public can handle OSX (and presumably they can), then they can handle this. OSX installers require the admin password.

Re:oldschool

[mlock]

> I propose that all software should be distributed
> as .MSI files instead of .exe installers. (They
> work the same, double click the .MSI and it runs
> MS's Installer, but the MSI can't run arbitrary
> code.. it works like an RPM in this regard).
Sorry, doesn't work.

MSI files can embed DLL's, and these can be called during setup.
http://msdn.microsoft.com/library/en-us/ms i/setup/ adding_launch_to_the_customaction_and_binary_table s.asp

Like the post-conf scripts in RPM and DEB :-)

Re:I always suspected

[tonyr60]

Yes, but....

Maybe I am too much into conspicy stuff, but I have the idea that it is in Symantec's best interests that their clients believe that even the new, upgraded OSes need virus protection.

So they are going to look VERY hard to find reasons why 64 bit XP needs new anti-virus tools.

la cosa nostra

[polecat_redux]

Symantec: The internet is a dangerous place these days - overrun with all sorts of viruses, worms, and malware. But, for only $79, we can see to it that your computer is safe. Without us, who knows what might happen to you...

I agree, forget Joe (L)user

[panurge]

W64 is an opportunity to move away from the whole "the system has to be insecure because Joe Sixpack is stupid" syndrome. If OS X can drop down a window asking for an admin password before installing updates, so can W64. W64 will be supposed to be a professional OS, for Turing's sake. Why can't MS simply use a few $$ of the billions to produce a nice "read this first" poster to explain to newbies how their nice new security system works, and how it will make using the computer so much more pleasant?

Tinfoil hat time: perhaps all the FUD about SP2 problems, users unwilling to update etc. is just being put out by spammers and malware merchants.

I agree there is a problem, especially with people who think they are creative. I'm afraid I was positively delighted when the author Louis de Bernieres lost the first 60 pages of his new novel becaue he had failed to make a backup, and complained that he didn't expect to have to make backups, he wasn't a computer expert (or words to that effect). People need to understand that failure to learn the basics can result in pain and distress.

Sourcecode

[MikeDX]

I bet the code is something like this:

while(windows) {
infect();
}

here's the grain of salt

[maxpublic]

Some years ago I contracted with Symantec for about five months and worked closely with several of their departments, including the folks who did tech support for their anti-virus software. During that time Symantec offered a cash bounty to any techie who brought in a virus 'from the wild' that wasn't covered by the their antivirus software.

It was common knowledge that many of these 'wild' viruses were actually, in fact, written by the support staff themselves in order to collect on the bounty. But Symantec didn't care because this just allowed them to enlarge their virus definition file and show their customers why it was important to subscribe to their update service. From my point of view it was a "wink, wink, nudge, nudge" sort of thing.

This was one of just many things about Symantec which disgusted me so much that after that contract I refused to work with them ever again. I don't know if they still have an update service for their anti-virus software, but it wouldn't surprise me if many of our future 64-bit viruses came directly from employees of Symantec itself.

It's a great business model: release the viruses, then sell the software that combats those viruses. Unethical and illegal, but a solid money-maker for those who don't care about such trivial things.

Max

Re:here's the grain of salt

But Symantec didn't care because this just allowed them to enlarge their virus definition file and show their customers why it was important to subscribe to their update service

This common accusation is a hoax. All major virus detection houses signed a mutual agreement to share their virus research. At one point, all these compagnies decided they would compete on features, ease of use and so forth, but not on virus coverage.

They did so in part to better protect their consumer, but also to dodge the baseless accusation made above.

Lol the general public can't handle OSX

[SmallFurryCreature]

The average Apple user I have met isn't a computer whizkid. However there is a huge difference with the unwashed windows hords. The Apple user KNOWS he is a computer moron. Most of them therefore do little things like read the goddamn fucking manual. They are also less likely to be upset about safeguards. (just check with your local emergcency crew, it isn't the 2 left hands doctor who decides to do a bit of DIY who cuts of his thumb. It is the DIYer who think he knows it all and thinks safety catches are for wimps)

The problem with windows isn't that its users are stupid and don't know shit. The problem is that MS has chosen to encourage these computer morons to feel like they know what they are doing and has given them enough rope to hang themselves with.

It makes people feel good and gives helpdesk monkeys around the world fulltime employment.

Remember, virusses, trojans, spyware ARE GOOD for the local economy.

Re:To make things easier

[mr_z_beeblebrox]

Of course, this means distributing the virus in source code form and compiling it on the target computer, but I'm sure users would be more than happy to take that step for you.

I can hear that conversation now: "I can't run this Anna Kornokova Simulator"
"Call Bob he is a linux user, he can help you"
"Hey Bob, I got the Anna K sim and..."
"You know that will be a virus"
"No, it's different THIS time. Tell me again the magic words, I am sure it'll be okay"
"SIGH, dot slash config...MAKE....MAKE INSTALL"

AMD's compatibility

[dpilot]

AMD has the NX bit, and ISTR that Intel doesn't have it on their IA32e, or whatever the heck they call it, and that they reserved NX for IA-64. The NX bit makes the job more demanding for virus and worm writers, so I would expect AMD to give them additional concerns.

3 reasons....

[DrYak]

1. First most important technology :
AMD64 processors have NX extension.
Which [quoting wikipedia] : "stands for "no execute", a technology used in CPUs such as Sun's Sparc, Transmeta's Efficeon, and newer 64-bit x86 processors to prevent code from being executed on areas of memory flagged with an NX bit. This feature signifigantly lowers the probability of crackers exploiting buffer overflows and increases overall system security.".
This technology is only supported in newer OSes like Windows XP 64 and Windows XP SP2. It wasn't supported before (exemple in Windows XP SP1 or in Windows 2000).
So before all, a new AMD64-compatible virus, has to cope with new forms of protection.

2. Binary compatibility.
This is going to be more technical.
AMD64 (and Intel's clone "EMT64") are an extension over the standart 32bits inscruction set (IA-32).
So yes, AMD64 could run any 32bit code natively, unlike Itanium (which can only emulate it, with some hardware assistance).

BUT : A worm isn't your average spread-sheet application. It doesn't always run stand-alone.
In order to perform some operation, like infecting a computer without user attention, or gaining administrator privileges, or hacking some kernel stuff to help its replication, the worm must inject code inside OTHER application.

And even if the virus is 32bit, if it infects a 64-bits OS, odds are the applications in which the virus must inject code (e-mail client, kernel, etc...) will be 64bits application.

64bit bit binary code isn't necessary exactly the same as 32bit. Some binary code may be interpreted as different instruction depending on whether the memory segment (the application) was tagged as "16bit code", "32bit code" or "64bit code".
The processor can run all of this "dialects" natively in hardware, but may be expecting a different dialect because the application is tagged as 64bits and the injected code was intended for 32bits systems.

Denpending on the implementation (i don't know AMD64 well enough), when loading data into pointer register, the 32bit code running in 64bit application could either :
- only override the lower 32 bits of the pointer, keeping intect the upper 32 bits.
i.e.: load 0x00001234 into a register whose value is 0x0012345601234567, will give you 0x0012345600001234) a different location than expected by the virus, and the machine would crash instead of being infected.

- read pas the lenght of the instruction in code memory.
simplified exemple :
if code is "LOAD into pointer 0x00001234, then ADD 500 to register B".
the pointer will be loaded with garbage data "0x0001234, then ADD", and the processor will try to execute code form "500 to register B" which doesn't mean anything, and the machine would crash instead of being infected.

(some useful link about 64bit architecture).

3. Memory model :

Last but not least, memory organisation is different between a 32bits and a 64bits OS.
So worm should use different exploits to inject code into different places.

Re:so what?

[MikeXpop]

Yeah. It's really crippling being able to run a variety of commercial software including all the latest games.

Sheesh, what's with all the OS hate around here? Linux, Windows, BSD, Mac OS, Mac OS X, etc are just tools. Tools that can help you get jobs done. Use the best tool for the job. I wouldn't imagine editing video on anything but OS X, just like I wouldn't imagine playing games on anything but Windows, just like I wouldn't imagine running a dedicated server on anything but Linux.

No one OS is crippling. Limiting yourself due to fanaticism is.