Slashdot Mirror

← Back to Stories (view on slashdot.org)

Research Inches Toward Processor-Specific Malware

Posted by samzenpus on from the acquiring-new-targets dept.

chicksdaddy writes "The Windows/Office/IE monoculture is disappearing faster than equatorial glaciers — Mac OS X and iOS, Linux and Android ... and whole new application ecosystems to go with each. That's bad news for malware authors and other bad guys, who count on 9.5 out of 10 systems running Windows and Microsoft applications to do their magic. What's the solution? Why, hardware specific hacks, of course! After all, the list of companies making CPUs is far smaller than, say, the list of companies making iPhone applications. Malware targeting one or more of those processors would work regardless of what OS or applications were installed. There's just one problem: its not easy to figure out what kind of CPU a device is running. But researchers at France's Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) are working on that problem. Threatpost.com reports on a research paper that lays out a strategy for fingerprinting processors by observing subtle differences in the way they perform complex floating point calculations. The method allows them to distinguish broad subsets of processor types by manufacturer, and researchers plan to refine their methods and release a tool that can make specific processor fingerprinting a snap."

41 of 155 comments (clear)

  1. Re:Phew i'm good. by bhcompy · · Score: 2, Informative

    Yea, no malware for my Cyrix either

  2. Obligatory intel bashing by zill · · Score: 4, Funny

    if( 4195835*3145727/3145727 != 4195835 ){
    cpu = "Intel Pentium";
    }

    1. Re:Obligatory intel bashing by Mitchell314 · · Score: 2, Insightful

      4195835*3145727/3145727 == 4195835.00000001

      --
      I read TFA and all I got was this lousy cookie
    2. Re:Obligatory intel bashing by wvmarle · · Score: 2, Informative

      This depends apparently on your programming language. I know the .00000001 has to do with decimal to binary conversion which introduces this kind of errors. Anyway I just tried this in Python, and got a different result:
      >>> 4195835*3145727/3145727
      4195835L
      >>> 4195835*3145727/3145727 == 4195835
      True
      >>> 4195835*3145727/3145727 == 4195835.00000001
      False
      >>>

  3. sure sounds interesting by Anonymous Coward · · Score: 2, Insightful

    but...

    where actually is the attack vector if you don't target any software platform at all?

  4. Why hardware specific? by Musically_ut · · Score: 2, Interesting
    Isn't it still far easier to specialize malware for specific softwares rather than trying to heuristically determining the hardware being used and then trying to exploit that?

    Also, how protected is the type of the processor and the other hardware used in a machine? I would imagine that exposing this information (such that your PC has a GPGPU) to software might help the software work better. To me, it seems that this gain easily outweigh the risks involved.

    --
    Never trust a spiritual leader who cannot dance -- Mr. Miyagi
    1. Re:Why hardware specific? by DigiShaman · · Score: 2, Insightful

      Current software exploits are based on specific OS, Apps, and/or a combination of the two. Add in different versions and quick patching can put out the malware fires rather quickly. With hardware, there's less permutations and revisions in comparison to software.

      While it's possible to patch hardware flaws with firmware and microcode updates, it's not something that happens automatically by the end user. In theory, running malware at the hardware level opens up a huge potential homogeneous field to play in.

      --
      Life is not for the lazy.
  5. I hate to ask, but... by spywhere · · Score: 3, Informative

    "Windows/Office/IE monoculture is disappearing faster than equatorial glaciers..."
    Do you actually work in corporate IT? Windows XP and IE6/7 dominate. Apple has little hope of taking hold in anything bigger than the art department at Comcast, and Linux is what the geekiest artist-type there uses at home.

    I'm not advocating Windows... I'm simply pointing out that they are not going anywhere.

    1. Re:I hate to ask, but... by Un+pobre+guey · · Score: 2, Insightful

      They can always dream, can't they?

    2. Re:I hate to ask, but... by DrgnDancer · · Score: 4, Insightful

      I dunno. I was a Linux Systems Administrator for a fortune 50 company. I'm now a Linux Systems administrator for the Federal Government. In both cases we also had limited use of Macs too. You didn't see that 10 years ago. I'll grant you "Faster than equatorial glaciers" may be hyperbole, but the monoculture is disappearing (Windows isn't disappearing by any means, just the monoculture).

      To a certain extent it's also somewhat of a moot point anyway. If people are using Macs or Linux at home that's still impacting malware authors. In fact it's impacting them worse in some respects. They count on the unpatched boxes in ma and pa's bedroom for a botnet vector. Smartphones are also a growing presence on the 'Net. They're not hugely important *yet* but at the rate they're going they will be.

      So yeah, for the time being you can still feel safe that 9/10 clients are Windows (which is still down a lot from 9.7/10). Smart criminals, just like smart companies, look ahead though. If trends continue as they are, 10 years from now it might be 7/10 clients (With the rest split between Macs, some Linux, and lots of mobile) . 10 years after that? Who knows?

      --
      I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
  6. Am I missing something? by by+(1706743) · · Score: 4, Insightful
    From TFS:

    Malware targeting one or more of those processors would work regardless of what OS or applications were installed.

    Ok...but how are you planning on executing that? You can write a piece of code that exploits some chip vulnerability, and compile it for Windows -- but it still gives you no advantage over just writing something which targets Windows in the first place.

    And if you're capable of running arbitrary machine code on the host -- which is sort of what I take this article to suggest -- then you've got way bigger fish to fry in the security department...

    1. Re:Am I missing something? by antifoidulus · · Score: 5, Insightful

      Actually the biggest threat would be to VMs running on some big iron machine. If you and I are both running on a VM and I can exploit a CPU bug that allows me to break out of my sandbox then your data is in trouble even if you didn't let anyone else execute code in your VM.

      --
      Monstar L
    2. Re:Am I missing something? by phantomfive · · Score: 2, Insightful

      Not only that, when was the last time you heard of an exploit that attacked a chip? I can remember hearing about a vulnerability six years ago or so, but it was hard to exploit. Such an exploit would be nice, but I don't think they happen very often.

      --
      Qxe4
  7. Re:Huh? by danlip · · Score: 3, Insightful

    Sorry, but I've used AIX and it is not a perfectly reasonable OS.

  8. Catch 22 much ??? by Zero__Kelvin · · Score: 2, Insightful

    "Malware targeting one or more of those processors would work regardless of what OS or applications were installed. "

    This is complete bullshit. First, you have to get your code to execute on my hardware, which you aren't about to do unless you compromise my OS. If you can't get your assembly code to run on the CPU in Ring 0 on the Intel Platform, for example, your processor specific malware, no matter how clever, is useless. If you can do so, you have already compromised my OS, so your code is useless.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    1. Re:Catch 22 much ??? by h4rr4r · · Score: 2, Insightful

      Not quite. If I am only in one VM and I want to break out then this sort of thing might be quite useful. If I had already exploited the host, then yes it would be a waste of time.

  9. CPUID registers ? by NemoinSpace · · Score: 2, Insightful

    seems a lot easier to me for the majority of cases. a little ASM goes a long way. When in doubt, ASK!
    ok, now you can list all the architectures that don't specifically use CPUID, But they all (even PLC's) report what they are.

  10. Re:Huh? by FranTaylor · · Score: 4, Insightful

    Well that is your problem. You don't "use" AIX, you install your server applications on it and you leave it alone.

  11. Who sponsored the research? by Un+pobre+guey · · Score: 3, Interesting

    So is the Ukrainian Mob giving out academic research grants these days? Not such a bad idea from their end.

  12. Re:Phew i'm good. by Anonymous Coward · · Score: 3, Funny

    Yeah, cuz "cat /proc/cpupinfo" is so frickin' hard to do.

    Security through obscurity FTW!

  13. Re:CPU Microcode is the next malware frontier by AuMatar · · Score: 2, Insightful

    To be useful, you'd need a microcode memory big enough to fit a decent program (doubtful), and do so without breaking the integrity of the machine (almost impossible) as well as have a chip that has writable microcode caches (does anything do this, other than maybe transmeta)? Number 2 is a biggie- malware that breaks the CPU will quickly get the machine offline and RMAed. If you aren't online, you aren't doing anything useful for the malware. The trick for malware is to do what you want, while appearing as if you didn't even exist to the user.

    --
    I still have more fans than freaks. WTF is wrong with you people?
  14. Re:Sparc, MIPS, PowerPC, ... are practically dead by jonwil · · Score: 3, Insightful

    Plenty of CPU architectures out there.
    ARM is out there in embedded devices.
    PowerPC is still popular in servers (and in games consoles)
    Plenty of things out there using MIPS including the Playstation Portable and all kinds of home routers

    And if you are talking really embedded devices, PIC, AVR and others are still going strong.
    Even oldschool archtectures like the Zilog Z80 and Motorola 68000 are still going strong in many areas.

  15. Apple has even less hope now by Sycraft-fu · · Score: 2, Insightful

    With the discontinuation of their Xservs they've quite clearly said "We don't really care about the enterprise market." Can't say I'm surprised, consumer electronics is where they've been making tons of money. However it does mean that any growth potential they had in business markets is likely to dry up. That just means the market will continue to be solidly MS for now.

    1. Re:Apple has even less hope now by h4rr4r · · Score: 2, Interesting

      The enterprise market for servers has never been solidly MS. The Xserve was not a popular product, no one wanted to pay apple prices to run a unix. if you want to do that you could have alway bought a Sun box. The rest of the enterprise wanted to run linux on commodity hardware.

    2. Re:Apple has even less hope now by wvmarle · · Score: 2, Informative

      Personally I see Apple's strong point as the user interface, and the design of the cases they put their hardware in. Neither are important for servers.

      A server has to sit in a corner, fit nicely so square (or for bigger setups: rackable) is preferred. Most of them don't have a monitor attached so a GUI is also unwanted.

      Then what reason is there to pay an Apple price for a server?

      Microsoft has a similar problem: their strong point is also the user interface, as that's what Windows is about after all. Windows is a desktop oriented OS, with server capabilities tacked on to it.

  16. Re:Ok, maybe this is too simple but by WrongSizeGlass · · Score: 4, Insightful

    Just for my own education, how would a processor specific piece of malware 'get in' if it isn't delivered via software that can run on the host's OS? And how would it spread out of the computer it's infecting? Is it going to come with it's own ethernet drivers? It's own TCP/IP stack? If it's not relying on the OS to do its dirty work than what does it do besides figuring out your CPU type?

  17. Re:The road to profit. by arth1 · · Score: 2, Insightful

    Except that by adding the requirement of "cat /proc/cpu", you're back to being OS-specific, which defeats the premise of TFA.

  18. Peak windows. by mevets · · Score: 4, Insightful

    My guess is the AV companies are sensing that 'peak windows' has passed, and are manufacturing a new market.
    The reason to run AV software on other platforms is to avoid inadvertently forwarding viruses to Windows users. Not a compelling story.

  19. Re:Software Warming by MrEricSir · · Score: 2, Funny

    You mean the Department of Justice?

    --
    There's no -1 for "I don't get it."
  20. I think I can explain the real threat here... by junglebeast · · Score: 2, Insightful

    There is no cross-platform instruction to call the CPUID assembly instruction...so you can only use CPUID if you can run native code on the computer, and if youcan do that, you've already broken in so you don't need it.

    Now imagine that you are running some generic code like javascript...which has a limited instruction set and is possibly even being run in a browser based sandbox. If you can use simple floating point arithmetic to detect the processor type, and then you know that this particular processor has a flaw such that if you evaluate: "44.5 / 222.3 + 1" then the following benign string literal in javascript gets interpreted as native binary code which executes outside of the "sandbox" imposed by the limitations of the language...do you get what I'm saying?

    1. Re:I think I can explain the real threat here... by wvmarle · · Score: 3, Interesting

      Reason to launch an attack like this (I get your idea; but no idea whether it really works like that) is that the ecosystem is smaller, just a few processors to care about. Now you're exploiting a specific bug: I wonder whether such bugs (if they are possible and exist) would last in between major revisions of Intel's or AMD's processor lines.

      Regardless it makes me wonder why you need to know the processor type in the first place? Isn't it possible to craft your software in a way that if the bug is hit the next code is run as assembly (a few bytes is enough to jump to where the real code is), but if the attack fails the program will continue to execute and just launch the next attack? Trial and error basically... just try a bunch of attacks and see which works... and as soon as one works you're in and can forget about the rest of your original javascript program.

  21. Did anyone else read this as by Snufu · · Score: 2, Funny

    '...professor specific malware?

    I've had to sit through my share of boring lectures, but isn't this carrying things a bit far?

  22. Re:Sparc, MIPS, PowerPC, ... are practically dead by forkazoo · · Score: 2, Funny

    You forgot SPARC.

    The handful of people who haven't are doing their best.

  23. Re:Ok, maybe this is too simple but by hairyfeet · · Score: 5, Insightful

    Not to mention it is totally nuts from a malware writer's POV. You have roughly 93% of the business and home desktops running WinOS, with a good portion of those still running the "Hey, let's all run as admin everybody!" XP, and with the huge amounts of home users now on fast connections with NO clue as to whether they are up to date or even if their AV works, jumping through all those hoops to base your malware on a specific CPU would not only be silly it would be purposely limiting your target.

    If everyone wants to know what the big targets of the future is gonna be, let this old PC repair guy fill you in: On the home front it'll be Adobe everything, thanks to them not working with MSFT to have updates to their software pushed through Windows Updates so it is ALWAYS out of date, drive by malware courtesy of social sites like FaceBook, JavaScript malware o' the day pushed by the above, and on the mobile side I'm expecting a huge iOS and Android bug any day now, even though with the shitty USA phone networks you won't be getting as much as with a cable or DSL connection, simply because all the malware guys want to go "I did it! Yep, it was me!", and finally don't forget the EVER popular "ZOMG! U Got teh Viruz!!! Run thiz and turn off your broken AV pleasz!" fake AV crap that still spreads like the clap.

    So there you go. While some researcher my think the "next wave" will be some uber super hacker shit, I'm willing to bet the pickings are just too easy the way things are for most malware guys to care. Maybe when 2014 rolls around and folks have to either buy new machines or upgrade away from XP will we see things change, as UAC, ASLR, and DEP does make it harder for malware along with WoW on x64, but right now there are still hundreds of millions on XP, and if you add in the ones that will happily turn off their AV just to see the dancing bunnies or will run "special codecs" to see teh prons, well that is a hell of a lot of easy pickings. Remember folks, criminals are just like any other predator and are inherently lazy. If they can nail lots of prey without hardly any work than that is what they WILL do, and working on these machines 6 days a week I can tell you there is a LOT of easy prey out there. No "super uber CPU specific hacks" required.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  24. Re:Software Warming by davester666 · · Score: 3, Insightful

    The department of justice no longer does what you think it does.

    It switched over the last decade or two from the department that does justice for you, to the department that does justice TO you.

    --
    Sleep your way to a whiter smile...date a dentist!
  25. Re:Ok, maybe this is too simple but by hairyfeet · · Score: 2, Funny

    Uhhh...is ANY of that supposed to be English, or is it like a bad FOSS troll meme generator I haven't heard about? If not you might want to get back on your meds dude, as that little rant of yours reads like someone on meth with ADHD.

    --
    ACs don't waste your time replying, your posts are never seen by me.
  26. Re:Ok, maybe this is too simple but by gl4ss · · Score: 4, Insightful

    it's just fud. early stage fud. from france.

    you know, research for the sake of research for the sake of getting more money to do more research.

    besides than that : have they not heard of cpuid? -DDD the hardest part of this attack definetely wouldn't be figuring out which cpu the computer has.

    so they're tackling the EASIEST part of this, just figuring out which cpu the running host has. they would still have to find application specific holes to get their fingerprinting code to actually run on the target systems. on top of that their fingerprinting depends on you getting to run native code on the target system, after that I suppose the aim is to raise privilidges of the running process to actually do a hack however that would still be very os/app specific.

    the whole effort seems quite absurd, except from academia point of view which is to just suck in money while doing nothing.

    --
    world was created 5 seconds before this post as it is.
  27. ESIEA is not "Superiore" but "Supérieure" by Anonymous Coward · · Score: 2, Informative

    ESIEA is "École Supérieure d'Informatique, Électronique, Automatique".
    With "supérieure", not "superiore" (which is, maybe, Italian?). Please also note the usage of the accents on some of the letters (even the capitals, as allowed in French, even if some of the French people do not know their usage (!))

      Merci.

    (A verbatim translation of ESIEA would give something like "High School for Computer Science, Electronic and Control Engineering", however, an "École Supérieure" in France is more like a college in the US, not an high school.)

  28. Re:Ok, maybe this is too simple but by jimicus · · Score: 2, Interesting

    It's rumour, take it with as much or as little salt as you think it needs. But a quick google for malware UAC shows:

    http://www.zdnet.com/blog/security/windows-7s-default-uac-bypassed-by-8-out-of-10-malware-samples/4825

    http://www.theregister.co.uk/2009/02/04/windows_uac_flaw/

    And IIRC there was a piece of malware that was signed using a genuine, valid certificate that was issued to Realtek. Looks like I do RC:

    http://news.softpedia.com/news/Signed-Malware-Used-Valid-Realtek-Certificate-147942.shtml

      - this would walk all over the protection offered by ASLR and DEP because it wouldn't need to be injected into another running process.

    Having said all that, I never for one minute believed the death of XP would mean the end of malware. It's become a full-blown industry in its own right these days, and a lot of money is involved. Those who do it aren't going to let a bunch of acronyms that make their job a little harder until such time as they've put whatever functionality they need to work around it into a library any more than burglars all gave up and started going straight with the advent of modern locks.

  29. Re:Do it from Javascript by drsmithy · · Score: 2, Informative

    While your premise is correct, your conclusion is not. Downclocking wasn't added to CPUs to save electricity, but to reduce temperature. Saving electricity is a side effect.

    Downclocking was first added to mobile CPUs, and you can rest assured it was to save electricity (= battery).

  30. Re:Huh? by Narishma · · Score: 2, Informative

    And even in your house PPC isn't dead. All current generation consoles use PPC processors.

    --
    Mada mada dane.