Stealth Malware: Interview with Joanna Rutkowska

By | March 27, 2006

In this interview Joanna Rutkowska, and independent security researcher, discusses malware stealth techniques and its security ramifications. Joanna is focusing on discovering new infection techniques, as well as methods to protect against them.

Joanna RutkowskaCan you tell us a little bit about your background and your work?

I´m a security researcher working on IT security related projects for various companies around the world. I mainly focus on stealth malware technology, researching both new offensive techniques, as well as methods to protect against them. Several years ago, before I got involved in stealth technology research, I was focusing on exploit development (but not bug finding) for both Linux and Windows.

Base on researches you conducted, please explain us what are malware stealth techniques.

It´s all about pretending that ´everything is alright´, while in fact it is not. To achieve this goal malware can either decide to subvert various operating system´s mechanisms, so that the information accessible to other system monitoring tools or users is falsified (we usually talk about ´hiding´ various objects, like processes, kernel modules, files, registry keys, etc…). This is how most of the malware works today.

The other option to achieve stealth is… not to create any suspicious objects in the system, like extra processes, thus being “Stealth by Design”. Writing such malware is however significantly more difficult then writing a classic malware, thus SbD malware is still not very popular.

It´s also worth mentioning that stealth techniques are not only used for malicious purposes, but also very similar ideas are exploited by e.g. some honeypot systems.

What are the security threats posed by stealth malware?

Not knowing that your network and systems are compromised is much worse, in my opinion, then just a traditional, ´noisy´ attack, like DDoS or website subversion.

What does stealth malware mean to the end user?

For the end user it doesn´t really matter if the computer was infected by stealth malware or just any other type malware, like classic virus or worm. All the end user is aware of is that it´s a ´bad thing´ and all the he or she is really interested in doing is to get rid of it as soon as possible.

End users always relay on some AV, all-in-one, solutions where the whole user interaction and awareness is limited to pressing the ´Scan´ button. And this is, in fact, very right approach in my opinion.

The problem however, which we face today, is that every public detector can always be cheated, provided that malware already gained super-user privileges (which today means to be able to act at the same privilege level as the trusted operating system code does) and knows how the detector´s program exactly looks like. It should be obvious it´s always possible for the malware to e.g. patch a specific instruction in such program, e.g. the branching ´IF´ instruction in such a way that, although the detector detects the intruder, the action it takes will always be the same as if it didn´t detect anything. Using various executable morphing/encryption methods is only making things harder for the attacker, but it is still *always* possible to bypass such protection.

That is not good news for end user and this is currently one of the most important problems which all AV companies are facing today. It´s worth noting that this kind of attacks became very popular about 1-2 years ago and was popularized by infamous hacker defender project, offering commercial versions of a rootkit, which was armored with a set of implementation-specific attacks against many popular rootkit detectors on the market. ´Hacker Defender Shop´ seems to be closed since a few weeks, but it really doesn´t change anything.

What is the future for malware?

Malware has, in general, two goals – to do something bad or funny or useful for it´s author and, the second goal is, to remain undetected as long as possible…

It´s very hard to predict what malware authors would like to achieve with their malware in the future… Years ago, in the era of file infectors, people were just happy if their virus were able to spread, usually without doing any harm and without installing any backdoors.

Today we observe that malware writing became quite commercialized, so now those programs are interested in stealing our on-line banks passwords or helping sending out spam… Predicting what they might be interested in doing tomorrow is probably more of an interest for sociologists…

As to the other goal, well… it´s just an endless arm race between bad and good guys (and gals) and both sides are very interdependent. Too interdependent, in my opinion, as what we usually see on the defending side is just a temporary workarounds for what is seen from the offending front… In my opinion, and this specifically apply to AV companies, people are too much focused on the malware that exists in the wild and on addressing only those threats, rather then thinking about the future and trying to come up with more generic approaches. Of course, similar things happen on the offending side, as many of the malware we see is not innovative at all – it´s again just a temporary workaround against the latest AV programs… Of course, exceptions do exist and I would say it´s more common to see very innovative approaches on the ´bad´ front rather then on the good side.

I personally think, that the holly grail for those few people interested in creating this more interesting malware is to achieve such level of stealth-ness, that even though the algorithm of the infection was know it wouldn´t be possible to detect such malware… It would be something similar to what we have in cryptography today – we know the algorithms, but cannot decrypt the cipher without knowing the secret key… I´m not saying that creating such malware is possible… I´m not denying either.

In your opinion, what is the biggest security threat for business at moment?

If I was responsible for the safety of some company´s network I would definitely be most afraid of a silent penetration, which could exploit sophisticated stealth techniques to remain undetected by anybody for months… Maybe I´m paranoid (in fact I probably am), but knowing the defensive technology which is on the market these days and also knowing *some* of the state of the art stealth technology we have today, I believe that such scenario is quite likely to be happening in the wild.

Leave a Reply