Slashdot Mirror
Research Inches Toward Processor-Specific Malware
chicksdaddy writes "The Windows/Office/IE monoculture is disappearing faster than equatorial glaciers — Mac OS X and iOS, Linux and Android ... and whole new application ecosystems to go with each. That's bad news for malware authors and other bad guys, who count on 9.5 out of 10 systems running Windows and Microsoft applications to do their magic. What's the solution? Why, hardware specific hacks, of course! After all, the list of companies making CPUs is far smaller than, say, the list of companies making iPhone applications. Malware targeting one or more of those processors would work regardless of what OS or applications were installed. There's just one problem: its not easy to figure out what kind of CPU a device is running. But researchers at France's Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) are working on that problem. Threatpost.com reports on a research paper that lays out a strategy for fingerprinting processors by observing subtle differences in the way they perform complex floating point calculations. The method allows them to distinguish broad subsets of processor types by manufacturer, and researchers plan to refine their methods and release a tool that can make specific processor fingerprinting a snap."
if( 4195835*3145727/3145727 != 4195835 ){
cpu = "Intel Pentium";
}
"Windows/Office/IE monoculture is disappearing faster than equatorial glaciers..."
Do you actually work in corporate IT? Windows XP and IE6/7 dominate. Apple has little hope of taking hold in anything bigger than the art department at Comcast, and Linux is what the geekiest artist-type there uses at home.
I'm not advocating Windows... I'm simply pointing out that they are not going anywhere.
Malware targeting one or more of those processors would work regardless of what OS or applications were installed.
Ok...but how are you planning on executing that? You can write a piece of code that exploits some chip vulnerability, and compile it for Windows -- but it still gives you no advantage over just writing something which targets Windows in the first place.
And if you're capable of running arbitrary machine code on the host -- which is sort of what I take this article to suggest -- then you've got way bigger fish to fry in the security department...
Sorry, but I've used AIX and it is not a perfectly reasonable OS.
Well that is your problem. You don't "use" AIX, you install your server applications on it and you leave it alone.
So is the Ukrainian Mob giving out academic research grants these days? Not such a bad idea from their end.
Yeah, cuz "cat /proc/cpupinfo" is so frickin' hard to do.
Security through obscurity FTW!
Plenty of CPU architectures out there.
ARM is out there in embedded devices.
PowerPC is still popular in servers (and in games consoles)
Plenty of things out there using MIPS including the Playstation Portable and all kinds of home routers
And if you are talking really embedded devices, PIC, AVR and others are still going strong.
Even oldschool archtectures like the Zilog Z80 and Motorola 68000 are still going strong in many areas.
Just for my own education, how would a processor specific piece of malware 'get in' if it isn't delivered via software that can run on the host's OS? And how would it spread out of the computer it's infecting? Is it going to come with it's own ethernet drivers? It's own TCP/IP stack? If it's not relying on the OS to do its dirty work than what does it do besides figuring out your CPU type?
My guess is the AV companies are sensing that 'peak windows' has passed, and are manufacturing a new market.
The reason to run AV software on other platforms is to avoid inadvertently forwarding viruses to Windows users. Not a compelling story.
Not to mention it is totally nuts from a malware writer's POV. You have roughly 93% of the business and home desktops running WinOS, with a good portion of those still running the "Hey, let's all run as admin everybody!" XP, and with the huge amounts of home users now on fast connections with NO clue as to whether they are up to date or even if their AV works, jumping through all those hoops to base your malware on a specific CPU would not only be silly it would be purposely limiting your target.
If everyone wants to know what the big targets of the future is gonna be, let this old PC repair guy fill you in: On the home front it'll be Adobe everything, thanks to them not working with MSFT to have updates to their software pushed through Windows Updates so it is ALWAYS out of date, drive by malware courtesy of social sites like FaceBook, JavaScript malware o' the day pushed by the above, and on the mobile side I'm expecting a huge iOS and Android bug any day now, even though with the shitty USA phone networks you won't be getting as much as with a cable or DSL connection, simply because all the malware guys want to go "I did it! Yep, it was me!", and finally don't forget the EVER popular "ZOMG! U Got teh Viruz!!! Run thiz and turn off your broken AV pleasz!" fake AV crap that still spreads like the clap.
So there you go. While some researcher my think the "next wave" will be some uber super hacker shit, I'm willing to bet the pickings are just too easy the way things are for most malware guys to care. Maybe when 2014 rolls around and folks have to either buy new machines or upgrade away from XP will we see things change, as UAC, ASLR, and DEP does make it harder for malware along with WoW on x64, but right now there are still hundreds of millions on XP, and if you add in the ones that will happily turn off their AV just to see the dancing bunnies or will run "special codecs" to see teh prons, well that is a hell of a lot of easy pickings. Remember folks, criminals are just like any other predator and are inherently lazy. If they can nail lots of prey without hardly any work than that is what they WILL do, and working on these machines 6 days a week I can tell you there is a LOT of easy prey out there. No "super uber CPU specific hacks" required.
ACs don't waste your time replying, your posts are never seen by me.
The department of justice no longer does what you think it does.
It switched over the last decade or two from the department that does justice for you, to the department that does justice TO you.
Sleep your way to a whiter smile...date a dentist!
Reason to launch an attack like this (I get your idea; but no idea whether it really works like that) is that the ecosystem is smaller, just a few processors to care about. Now you're exploiting a specific bug: I wonder whether such bugs (if they are possible and exist) would last in between major revisions of Intel's or AMD's processor lines.
Regardless it makes me wonder why you need to know the processor type in the first place? Isn't it possible to craft your software in a way that if the bug is hit the next code is run as assembly (a few bytes is enough to jump to where the real code is), but if the attack fails the program will continue to execute and just launch the next attack? Trial and error basically... just try a bunch of attacks and see which works... and as soon as one works you're in and can forget about the rest of your original javascript program.
it's just fud. early stage fud. from france.
you know, research for the sake of research for the sake of getting more money to do more research.
besides than that : have they not heard of cpuid? -DDD the hardest part of this attack definetely wouldn't be figuring out which cpu the computer has.
so they're tackling the EASIEST part of this, just figuring out which cpu the running host has. they would still have to find application specific holes to get their fingerprinting code to actually run on the target systems. on top of that their fingerprinting depends on you getting to run native code on the target system, after that I suppose the aim is to raise privilidges of the running process to actually do a hack however that would still be very os/app specific.
the whole effort seems quite absurd, except from academia point of view which is to just suck in money while doing nothing.
world was created 5 seconds before this post as it is.