Slashdot Mirror
Research Inches Toward Processor-Specific Malware
chicksdaddy writes "The Windows/Office/IE monoculture is disappearing faster than equatorial glaciers — Mac OS X and iOS, Linux and Android ... and whole new application ecosystems to go with each. That's bad news for malware authors and other bad guys, who count on 9.5 out of 10 systems running Windows and Microsoft applications to do their magic. What's the solution? Why, hardware specific hacks, of course! After all, the list of companies making CPUs is far smaller than, say, the list of companies making iPhone applications. Malware targeting one or more of those processors would work regardless of what OS or applications were installed. There's just one problem: its not easy to figure out what kind of CPU a device is running. But researchers at France's Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) are working on that problem. Threatpost.com reports on a research paper that lays out a strategy for fingerprinting processors by observing subtle differences in the way they perform complex floating point calculations. The method allows them to distinguish broad subsets of processor types by manufacturer, and researchers plan to refine their methods and release a tool that can make specific processor fingerprinting a snap."
Also, how protected is the type of the processor and the other hardware used in a machine? I would imagine that exposing this information (such that your PC has a GPGPU) to software might help the software work better. To me, it seems that this gain easily outweigh the risks involved.
Never trust a spiritual leader who cannot dance -- Mr. Miyagi
So is the Ukrainian Mob giving out academic research grants these days? Not such a bad idea from their end.
The enterprise market for servers has never been solidly MS. The Xserve was not a popular product, no one wanted to pay apple prices to run a unix. if you want to do that you could have alway bought a Sun box. The rest of the enterprise wanted to run linux on commodity hardware.
Reason to launch an attack like this (I get your idea; but no idea whether it really works like that) is that the ecosystem is smaller, just a few processors to care about. Now you're exploiting a specific bug: I wonder whether such bugs (if they are possible and exist) would last in between major revisions of Intel's or AMD's processor lines.
Regardless it makes me wonder why you need to know the processor type in the first place? Isn't it possible to craft your software in a way that if the bug is hit the next code is run as assembly (a few bytes is enough to jump to where the real code is), but if the attack fails the program will continue to execute and just launch the next attack? Trial and error basically... just try a bunch of attacks and see which works... and as soon as one works you're in and can forget about the rest of your original javascript program.
It's rumour, take it with as much or as little salt as you think it needs. But a quick google for malware UAC shows:
http://www.zdnet.com/blog/security/windows-7s-default-uac-bypassed-by-8-out-of-10-malware-samples/4825
http://www.theregister.co.uk/2009/02/04/windows_uac_flaw/
And IIRC there was a piece of malware that was signed using a genuine, valid certificate that was issued to Realtek. Looks like I do RC:
http://news.softpedia.com/news/Signed-Malware-Used-Valid-Realtek-Certificate-147942.shtml
- this would walk all over the protection offered by ASLR and DEP because it wouldn't need to be injected into another running process.
Having said all that, I never for one minute believed the death of XP would mean the end of malware. It's become a full-blown industry in its own right these days, and a lot of money is involved. Those who do it aren't going to let a bunch of acronyms that make their job a little harder until such time as they've put whatever functionality they need to work around it into a library any more than burglars all gave up and started going straight with the advent of modern locks.