Research Inches Toward Processor-Specific Malware

chicksdaddy writes "The Windows/Office/IE monoculture is disappearing faster than equatorial glaciers — Mac OS X and iOS, Linux and Android ... and whole new application ecosystems to go with each. That's bad news for malware authors and other bad guys, who count on 9.5 out of 10 systems running Windows and Microsoft applications to do their magic. What's the solution? Why, hardware specific hacks, of course! After all, the list of companies making CPUs is far smaller than, say, the list of companies making iPhone applications. Malware targeting one or more of those processors would work regardless of what OS or applications were installed. There's just one problem: its not easy to figure out what kind of CPU a device is running. But researchers at France's Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) are working on that problem. Threatpost.com reports on a research paper that lays out a strategy for fingerprinting processors by observing subtle differences in the way they perform complex floating point calculations. The method allows them to distinguish broad subsets of processor types by manufacturer, and researchers plan to refine their methods and release a tool that can make specific processor fingerprinting a snap."

Why hardware specific?

[Musically_ut]

Isn't it still far easier to specialize malware for specific softwares rather than trying to heuristically determining the hardware being used and then trying to exploit that?

Also, how protected is the type of the processor and the other hardware used in a machine? I would imagine that exposing this information (such that your PC has a GPGPU) to software might help the software work better. To me, it seems that this gain easily outweigh the risks involved.

Who sponsored the research?

[Un pobre guey]

So is the Ukrainian Mob giving out academic research grants these days? Not such a bad idea from their end.

Do it from Javascript

[Anonymous Coward]

You know, assuming Javascript engines in web browsers use the FPU to do floating point math operations, you could roughly categorize what hardware visitors to your website use.

And/or you could run a JS benchmark, and on the server side have baseline benchmark results for different web browsers and web browser versions on known hardware configurations - and then use that to deduce the user's clock speed. That is assuming that they aren't running anything else at the same time, but 99% of the time desktop systems are idle. You could do a run of 5 benchmarks over a period of say 30 seconds and throw out the outliers.

Of course you could combine this with the kind of stuff Panopticlick [eff.org] does, like detect the screen size, time zone, flash variables etc. For extra evil points, combine it with Samy Kamkar's evercookie [samy.pl].

Re:Apple has even less hope now

[h4rr4r]

The enterprise market for servers has never been solidly MS. The Xserve was not a popular product, no one wanted to pay apple prices to run a unix. if you want to do that you could have alway bought a Sun box. The rest of the enterprise wanted to run linux on commodity hardware.

Re:Ok, maybe this is too simple but

[macs4all]

Just for my own education, how would a processor specific piece of malware 'get in' if it isn't delivered via software that can run on the host's OS? And how would it spread out of the computer it's infecting? Is it going to come with it's own ethernet drivers? It's own TCP/IP stack? If it's not relying on the OS to do its dirty work than what does it do besides figuring out your CPU type?

Exactly what I was thinking.

Correct me if I'm wrong, but doesn't ALL malware exploit vulnerabilities in an application or an OS? So, as you say, unless the malware carries its own network and likely filesystem drivers (and then WHICH filesystem, WHICH NIC?), WTF can it really DO?

also

[Anonymous Coward]

there is the possiblity of making it impossible for someone without say specialised JAG hardware to reflash the firmware, so once its compromised it cant be uncompromised. then there are the couterfiet bits of hardware with could be designed with backdoors that also lead to hardware that cannot be uncompromised, even if it goes into a super dormant state.

there are ways of communicating stenographically using timing delays in typing or network packets, so its actually starting to get pretty difficult to clean your system. not like removing a hdd and sticking it into a dock of a clean machine and wiping mbr+whole drive etc.

Re:Huh?

[Anonymous Coward]

Well that is your problem. You don't "use" AIX, you install your server applications on it and you leave it alone.

Actually, "you" don't use AIX at all..your dedicated IBM representative "deploys the end-to-end AIX solutions framework" on your behalf

Re:I think I can explain the real threat here...

[wvmarle]

Reason to launch an attack like this (I get your idea; but no idea whether it really works like that) is that the ecosystem is smaller, just a few processors to care about. Now you're exploiting a specific bug: I wonder whether such bugs (if they are possible and exist) would last in between major revisions of Intel's or AMD's processor lines.

Regardless it makes me wonder why you need to know the processor type in the first place? Isn't it possible to craft your software in a way that if the bug is hit the next code is run as assembly (a few bytes is enough to jump to where the real code is), but if the attack fails the program will continue to execute and just launch the next attack? Trial and error basically... just try a bunch of attacks and see which works... and as soon as one works you're in and can forget about the rest of your original javascript program.

Re:Ok, maybe this is too simple but

[jimicus]

It's rumour, take it with as much or as little salt as you think it needs. But a quick google for malware UAC shows:

http://www.zdnet.com/blog/security/windows-7s-default-uac-bypassed-by-8-out-of-10-malware-samples/4825 [zdnet.com]

http://www.theregister.co.uk/2009/02/04/windows_uac_flaw/ [theregister.co.uk]

And IIRC there was a piece of malware that was signed using a genuine, valid certificate that was issued to Realtek. Looks like I do RC:

http://news.softpedia.com/news/Signed-Malware-Used-Valid-Realtek-Certificate-147942.shtml [softpedia.com]

  - this would walk all over the protection offered by ASLR and DEP because it wouldn't need to be injected into another running process.

Having said all that, I never for one minute believed the death of XP would mean the end of malware. It's become a full-blown industry in its own right these days, and a lot of money is involved. Those who do it aren't going to let a bunch of acronyms that make their job a little harder until such time as they've put whatever functionality they need to work around it into a library any more than burglars all gave up and started going straight with the advent of modern locks.