Stealthy malware that can sneak onto machines during the boot process
and remain undetected indefinitely is one of the brass rings of
security research. There have been a number of tools developed over the
years that aimed to accomplish this goal, with Joanna Rutkowska's Evil Maid
attack being perhaps the most famous. Now a developer in Canada has
produced a similar tool that impersonates the CHKDSK utility and can
grab a user's password and then exit without the user's knowledge.
The
utility is designed to look like the Windows CHKDSK tool, which looks
for errors or problems with a hard disk before a machine boots. CHKDSK
will execute if the system detects a logical error and then attempt to
fix it, and anyone who's been a Windows user for more than a year or two
definitely has seen the utility pop up.
The Evil Maid CHKDSK
utility written by Alex Weber is designed to load from a USB device and
will present the user with a screen that looks just like the actual
CHKDSK screen, saying that the tool is checking the volume on the C:
drive for errors. The tool shows a message saying, "One of your drives
needs to be checked for consistency. You must perform this check before
rebooting."
The tool then asks the user to enter his password,
which is the hook. The actual CHKDSK utility doesn't make this request.
Once the user enters her password, the fake utility will write the
password to the USB drive and then exit. Weber said in an email
interview that the tool could be adapted to run on operating systems
besides Windows.
"It makes use of standard PC BIOS interrupts and
16-bit real-mode assembly, which is I think supported by every
x86/x86-64 PC out there. It doesn't rely on (or even know about,
truthfully) the operating system on the computer, so yes, it could
target other operating systems with very little work. It basically comes
down to changing the messages that the user sees," Weber said.
Obviously,
the attacker would need physical access to the victim's machine in
order to execute this attack. Weber said that he considers his utility a
work in progress.
Security researchers--not to mention attackers
and malware authors--have been working on various forms of stealthy,
low-level malware such as bootkits for years now. The idea, of course,
it to place the malware on the victim's machine quietly and in such a
privileged position on the PC that it will survive reboots and system
reinstalls. This gives the attacker control of the machine at its most
basic level and the ability to, for example, record user actions.
The
Evil Maid attack implemented by Rutkowska in 2009 was designed to
defeat the TrueCrypt full-disk encryption program in a manner similar to
the one Weber's utility uses. Booted from a USB drive, Rutkowska's tool
installs a small sniffer that waits for the user to enter his TrueCrypt
passphrase, which it then records. The user would not see any
indication that the attack had taken place. The tool is named Evil Maid
in reference to a malicious hotel maid implementing it against an
unsuspecting hotel guest.
Weber said his utility works silently, as well, but after the compromise there is an indication that something has happened.
"There
is one very obvious indication of compromise that I haven't found a
solution to - Windows will ask the user to format the drive because the
drive won't contain a (valid) partition table. I don't know of a way
around that, but that's why the code is on Github :) Perhaps writing a
bare-bones partition table to the drive along with the password would
prevent that," Weber said.
"I don't think it's a
terribly useful tool until that's resolved, but my main design goal was
to only use the MBR [master boot record] - I literally used every
single byte available."
Courtesy By Dennis Fisher
No comments:
Post a Comment