Virus Writers Look Ahead: Target 64-bit Windows 205
Ashcrow writes "A new virus, named W64.Shruggle.1318 by Symantec, is being 'tested' on AMD64 machines running 64-bit Windows. While it is not currently a danger to 64-bit Windows users, it does show that virus writers are looking toward the future. The exploitable software in questions is currently unreleased outside of beta. News.com has the full article."
Interesting. (Score:5, Interesting)
Re:Interesting. (Score:5, Informative)
Since the memory is shifted around in bigger chuncks they will have to readadjust their code to pump more useless data to reach the memory address they want.
Many exploits / worms are made with specific memory locations in mind inorder to inject malicious code into them.
Re:Interesting. (Score:5, Informative)
The techniques you describe are usually used by worms.
Re:Interesting. (Score:3, Interesting)
Re:Interesting. (Score:4, Informative)
In AMD64 (and some other architectures) pages have one more permission: they can be read, written AND executed.. and pages in the data section of a program (where you store all dynamic data, variables, arrays, etc. and buffer overflow exploits) have the NX (not execute) bit set by default.
Re:Interesting. (Score:2, Interesting)
Re:Interesting. (Score:4, Informative)
Um, you do realize that Linux contains quite a bit of architechture-specific stuff, which can be enabled or disabled at configure time ? Such as support for SMP or NUMA, for example...
Coming to think about it, I don't think a 32-bit processor would be much amused being treated like 64-bit one, and yet Linux supports both...
Re:Interesting. (Score:5, Interesting)
While software is made to be compatible, and Windows has code written into it to help with compatibility, as well as the processors have extensions. Windows also has code in order to take advantage of the 64 bit processor abilities to their fullest. While there's compatibility options available, most of the code that Windows executes was made for 64bit CPU (I should say most of the *compiled* code... I'm not sure how much of a rewrite was needed for porting, as opposed to compiler changes.)
With new code comes new holes, obviously. And the same can be said for third party softwares- that new code which takes advantage of the processors to its fullest will have some new code (extending through compilation, of course).
I would say, though, it wouldn't surprise me to find out that the programs themselves are really quite incompatible, but the files themselves are written for maximum compatibility. Pop one in an email, and it works on a 32 bit based machine I mean.
As an aside, I wonder if this is an attack on AMD's compatibility, or 64 bit code in general.. I note that the article mentions AMD with specitivity, not Intel.
AMD's compatibility (Score:5, Insightful)
Re:AMD's compatibility (Score:2)
Re:Interesting. (Score:2)
=================
As I understand it, and I hope if I'm wrong someone corrects me and gets a +5 mod... I'm going to be very general and semantic, I'm sure you'll see the point, but details as always are better.
While software is made to be compatible, Windows has code written into it to help with compatibility, as well as the processors have ex
To make things easier (Score:2, Funny)
Re:To make things easier (Score:5, Funny)
I can hear that conversation now: "I can't run this Anna Kornokova Simulator"
"Call Bob he is a linux user, he can help you"
"Hey Bob, I got the Anna K sim and..."
"You know that will be a virus"
"No, it's different THIS time. Tell me again the magic words, I am sure it'll be okay"
"SIGH, dot slash config...MAKE....MAKE INSTALL"
Re:To make things easier (Score:2)
3 reasons.... (Score:5, Informative)
AMD64 processors have NX extension [wikipedia.org].
Which [quoting wikipedia] : "stands for "no execute", a technology used in CPUs such as Sun's Sparc, Transmeta's Efficeon, and newer 64-bit x86 processors to prevent code from being executed on areas of memory flagged with an NX bit. This feature signifigantly lowers the probability of crackers exploiting buffer overflows and increases overall system security.".
This technology is only supported in newer OSes like Windows XP 64 and Windows XP SP2. It wasn't supported before (exemple in Windows XP SP1 or in Windows 2000).
So before all, a new AMD64-compatible virus, has to cope with new forms of protection.
2. Binary compatibility.
This is going to be more technical.
AMD64 (and Intel's clone "EMT64") are an extension over the standart 32bits inscruction set (IA-32).
So yes, AMD64 could run any 32bit code natively, unlike Itanium (which can only emulate it, with some hardware assistance).
BUT : A worm isn't your average spread-sheet application. It doesn't always run stand-alone.
In order to perform some operation, like infecting a computer without user attention, or gaining administrator privileges, or hacking some kernel stuff to help its replication, the worm must inject code inside OTHER application.
And even if the virus is 32bit, if it infects a 64-bits OS, odds are the applications in which the virus must inject code (e-mail client, kernel, etc...) will be 64bits application.
64bit bit binary code isn't necessary exactly the same as 32bit. Some binary code may be interpreted as different instruction depending on whether the memory segment (the application) was tagged as "16bit code", "32bit code" or "64bit code".
The processor can run all of this "dialects" natively in hardware, but may be expecting a different dialect because the application is tagged as 64bits and the injected code was intended for 32bits systems.
Denpending on the implementation (i don't know AMD64 well enough), when loading data into pointer register, the 32bit code running in 64bit application could either
- only override the lower 32 bits of the pointer, keeping intect the upper 32 bits.
i.e.: load 0x00001234 into a register whose value is 0x0012345601234567, will give you 0x0012345600001234) a different location than expected by the virus, and the machine would crash instead of being infected.
- read pas the lenght of the instruction in code memory.
simplified exemple
if code is "LOAD into pointer 0x00001234, then ADD 500 to register B".
the pointer will be loaded with garbage data "0x0001234, then ADD", and the processor will try to execute code form "500 to register B" which doesn't mean anything, and the machine would crash instead of being infected.
(some useful link about 64bit architecture) [wikipedia.org].
3. Memory model
Last but not least, memory organisation is different between a 32bits and a 64bits OS.
So worm should use different exploits to inject code into different places.
well thats great (Score:1, Funny)
Re:well thats great.(Whadd'r we s'pose to do now?) (Score:2, Insightful)
Maybe this cracking and hacki
Beta testing (Score:5, Funny)
Re:Beta testing (Score:2, Funny)
Re:Beta testing (Score:5, Funny)
I always suspected (Score:3, Funny)
Re:I always suspected (Score:2, Funny)
Re:I always suspected (Score:2)
Re:I always suspected (Score:2)
Re: (Score:3)
Re:I always suspected (Score:2, Insightful)
Re:I always suspected (Score:2, Insightful)
Re:I always suspected (Score:2)
It's like blaming firemen for setting peoples houses on purpose.
Except that firemen don't have a multi-million dollar incentive to light fires and can't light them without risking being seen.
What is the value of the anti-virus industry these days?
---
It's wrong that an intellectual property creator should not be rewarded for their work.
It's equally wrong that an IP creator should be rewarded too many times for the one piece of work, for exactly the same reasons.
Reform IP law and stop the M$/RI
Re:I always suspected (Score:1)
Re:I always suspected (Score:5, Insightful)
Maybe I am too much into conspicy stuff, but I have the idea that it is in Symantec's best interests that their clients believe that even the new, upgraded OSes need virus protection.
So they are going to look VERY hard to find reasons why 64 bit XP needs new anti-virus tools.
la cosa nostra (Score:4, Funny)
This just in... (Score:3, Funny)
Re:This just in... (Score:1)
Re:This just in... (Score:2)
http://www.f-secure.com/v-descs/monkey.shtml [f-secure.com]
Phew! (Score:4, Funny)
Phew! I was worried that all those hordes of current 64-bit Windows users would be at danger.
Re:Phew! (Score:3, Funny)
Maybe the virus is also a beta, so it still lacks some functionality the retail version is going to have.
This shows once again (Score:5, Insightful)
After all Windows 64-bit is allready installed on millions and millions of machines so it is only natural that hackers attack it instead of those few machines that run 64-bit Linux.
Oh, wait...
Nevermind.
Re:This shows once again (Score:3, Funny)
Well, apparently 20 minutes [slashdot.org] is all it takes.
(Yes, I noticed the pun and for the record it did make me smile. Come back when you've defined a LONGBOOLEAN in Modula-2 and we'll talk. :-)
Re:This shows once again (Score:3, Interesting)
Throughout the years, Microsoft has been very lax and carefree about security. Since the 90's, security experts have warned Microsoft about security issues and Microsoft blatantly ignored them. As a result of this negligence, Microsoft had earned a bad reputation.
Then you get into design and you see unnecessary services running, browser integration, ActiveX/COM with unrestricted acc
Re:This shows once again (Score:2)
Re:This shows once again (Score:2)
Re:This shows once again (Score:2)
Re:This shows once again (Score:2)
conspiracy? (Score:4, Insightful)
Ricardo.
Re:conspiracy? (Score:2, Interesting)
I have seen several virus warnings in computer mags that go "This virus has currenly not been spotted outside of $ANTIVIRUSCOMPANY's labs".
Well, how did it get in there, if not from the outside? It was made in there.
Re:conspiracy? (Score:3, Interesting)
Re:conspiracy? (Score:5, Informative)
Maybe this is a good thing. (Score:4, Funny)
Maybe this is a good thing.
Those viruses will show developers how to write better code.
Seriously though, vulnerabilities will grow in proportion to the complexity of our systems.
The more complex the plumbing (Score:1)
I think Mr. Scott said that in one of the Star Trek movies?
oldschool (Score:5, Informative)
MS actually has some safeguards to prevent this thing, but it could use some minor tweaks to make it even better.
I propose that XP should require you to create a user account by default.
I propose that all software should be distributed as
The installer should prompt for the Admin password and install the
Any
This would prevent this type of virus. Coupled with XP64s support for NX, you'd actually have some semblance of security.
Re:oldschool (Score:3, Insightful)
The general public are stupid and would not even be able to handle that level of security! They'd want to know why their new mouse cursors can't be installed, why their IE search bar needs a password, etc, etc
Re:oldschool (Score:5, Insightful)
The general public are stupid and would not even be able to handle that level of security! They'd want to know why their new mouse cursors can't be installed, why their IE search bar needs a password, etc, etc
Good. It's time for the general public to suck it up.
If the general public can handle OSX (and presumably they can), then they can handle this. OSX installers require the admin password.
Re:oldschool (Score:2, Insightful)
Nobody ever made money with that kind of attitude...
Lol the general public can't handle OSX (Score:5, Interesting)
The problem with windows isn't that its users are stupid and don't know shit. The problem is that MS has chosen to encourage these computer morons to feel like they know what they are doing and has given them enough rope to hang themselves with.
It makes people feel good and gives helpdesk monkeys around the world fulltime employment.
Remember, virusses, trojans, spyware ARE GOOD for the local economy.
Re:Lol the general public can't handle OSX (Score:2)
Re:Lol the general public can't handle OSX (Score:2)
It probably helps that Apple has some of the best manuals in the industry.
I'd add a huge caveat to your generalization. OS X has attracted a whole lot of really intelligent people with its *BSD-based underpinnings. Their hardware and software is exceedingl
Re:oldschool (Score:3, Insightful)
I understand your concern, but this would break compatibility with absolutely everything, which would be enough to make people avoid upgrading. I agree that it would make virus-writers lives more difficult, but its at too high a price on the user's experience.
Maybe an alternative would be an Admin-controlled "install mode" - drop into that, and for th
Re:oldschool (Score:2, Informative)
As long as there are executable entry points, malicious code will unfortunately always find a way to run.
The best we can do is limit the damage they can cause, and requiring users to run in user space has been proven to be a good defence. Granted, its not foolproof at the moment, but we have to build on what works.
Re:oldschool (Score:2, Informative)
I agree, forget Joe (L)user (Score:5, Interesting)
Tinfoil hat time: perhaps all the FUD about SP2 problems, users unwilling to update etc. is just being put out by spammers and malware merchants.
I agree there is a problem, especially with people who think they are creative. I'm afraid I was positively delighted when the author Louis de Bernieres lost the first 60 pages of his new novel becaue he had failed to make a backup, and complained that he didn't expect to have to make backups, he wasn't a computer expert (or words to that effect). People need to understand that failure to learn the basics can result in pain and distress.
Re:I agree, forget Joe (L)user (Score:2)
His laptop was stolen. That has nothing to do with computer failure. I don't think he expected to have his laptop stolen.
Re:oldschool (Score:5, Informative)
> as
> work the same, double click the
> MS's Installer, but the MSI can't run arbitrary
> code.. it works like an RPM in this regard).
Sorry, doesn't work.
MSI files can embed DLL's, and these can be called during setup.
http://msdn.microsoft.com/library/en-us/m
Like the post-conf scripts in RPM and DEB
Re:oldschool (Score:2)
>Like the post-conf scripts in RPM and DEB
I always thought this was a bad idea and should be replaced by various triggers.
Re:oldschool (Score:2)
I guess not EVERYONE does development work...
You couldn't use anything compiled from source, though...
Re:oldschool (Score:2)
Re:oldschool (Score:2)
Re:oldschool (Score:2)
Woah, woah slow down sparky! I know what you're getting at but last I checked there's no graceful way to switch users back and forth while the system is running. That being said there are not-so-graceful ways (perhaps one of Microsoft's many mascots would be willing to help), but switching back and forth isn't as simple as a shortcut with an F key. This isn't Linux. One computer, One user, One operating system. Microsoft.
Re:oldschool (Score:2)
A
Re:They will get used to enter the admin password. (Score:2)
If you don't know, it's time to get a simpler/safer OS, like UNIX. (unix almost never asks you anything, it's all your fault).
Wow! Beta Viruses! (Score:2, Interesting)
Actually, this doesn't really make a lot of sense. If the entire point of a virus is to cause widespread destruction, then doesn't it make more sense to write a virus for 32bit computers?
Re:Wow! Beta Viruses! (Score:3, Informative)
In other words these people have discovered the problem and given it some publicity by making a basicly useless virus. Their intent is not malicious
Its like the first virus for the
Viruses (Score:4, Interesting)
Re:Viruses (Score:4, Informative)
If you had any sense you'd notice that the "virus" in question was written by anti-virus people as a way to demonstrate a vulnerability of the w64 platform.
Do you find road car crash tests equally repugnant?
One could always hypothesise about how much we may or may not have developed programming code without having to spend money on prevention of these exploits.
As long as there are systems there will be exploits; be it computers, social security, passports, education - such is the way of the dragon.
Re:Viruses (Score:3, Informative)
Dude... It's a virus [wikipedia.org], not a worm [wikipedia.org].
You can write your code as secure and neat and clean as you want, that doesn't protect you from a virus that injects some code into your compiled executable.
Operating systems may be part of the solution, but IIRC we are weary of proposed solutions (ie: TPC
Beta tester not need to apply (Score:2, Funny)
- No need to call us, we'll infect you.
Re:Beta tester not need to apply (Score:3, Insightful)
It won't be idiot proof, it will be idiot dependent
typical (Score:2, Insightful)
If it wasn't for the criminals, most windows 'problems' wouldn't be an issue at all.
before you whine at me, and incorrectly call me flamebait for disagreeing with your somehow more enlightened views about the great good those virus writers do with their vandalism
what do you think of grafitti? do you like it when you look outside in the morning and see some bastard's tag painted on your building?
You fools trea
In unrelated news... (Score:3, Interesting)
Sourcecode (Score:4, Funny)
while(windows) {
infect();
}
Virus made by Symantec ? (Score:2)
Makes you wonder though...
Yay! (Score:2, Interesting)
here's the grain of salt (Score:5, Interesting)
It was common knowledge that many of these 'wild' viruses were actually, in fact, written by the support staff themselves in order to collect on the bounty. But Symantec didn't care because this just allowed them to enlarge their virus definition file and show their customers why it was important to subscribe to their update service. From my point of view it was a "wink, wink, nudge, nudge" sort of thing.
This was one of just many things about Symantec which disgusted me so much that after that contract I refused to work with them ever again. I don't know if they still have an update service for their anti-virus software, but it wouldn't surprise me if many of our future 64-bit viruses came directly from employees of Symantec itself.
It's a great business model: release the viruses, then sell the software that combats those viruses. Unethical and illegal, but a solid money-maker for those who don't care about such trivial things.
Max
Re:here's the grain of salt (Score:2, Insightful)
Re:here's the grain of salt (Score:4, Informative)
This common accusation is a hoax. All major virus detection houses signed a mutual agreement to share their virus research. At one point, all these compagnies decided they would compete on features, ease of use and so forth, but not on virus coverage.
They did so in part to better protect their consumer, but also to dodge the baseless accusation made above.
Re:here's the grain of salt (Score:2)
I don't know how they do business nowadays, but this was the way things were done when I contracted for them. I know, I was there. You can say whatever you want about this being a "hoax" or a "baseless accusation", but it doesn't change what I know to be true.
The only thing I'll say further on the matter is that this occurred over seven years ago. It's possible that the company changed it's modus
Captian Obvious, to the RESCUE! (Score:2)
Not to insult the journalistic talent that is Timothy, but seriously guy, you need to come up with a better introduction to an article that isn't full of utter stupidity. Nothing pisses me off, or makes me reel in laughter more than a muckraker introducing an article in the wrong manner.
Sorry but, (Score:2)
What's the "proof of concept"?
So someone wrote a program that looks for files that are executables and adds some code to the end that does the same thing?
Does it promote itself to run with system permissions, or only user-level perms?
As near as I can tell, the writer went to some trouble to limit his program so that it can only propagate on a particular machine and OS, and called it a '64 bit virus'.
On the other hand, maybe I just don't get it.
Re:It makes me wonder.... (Score:1, Funny)
1. You're an idiot.
2. It's Viruses, not Virii.
3. You're an idiot.
Re:It makes me wonder.... (Score:2, Informative)
The plural for computer virus is virus. Not viruses or virii.
So put the finger down and walk away.
Re:It makes me wonder.... (Score:5, Informative)
Re:It makes me wonder.... (Score:1)
Re:It makes me wonder.... (Score:4, Funny)
Don't forget that they can access your computer over the power line and get through the tin foil on your windows. Yep.
Re:It's a good thing (Score:5, Funny)
Your humanitarian side is showing through. Please make them watch Liza Minelli first, not last.
Re:It's a good thing (Score:1, Insightful)
Bzzt!!
The computing society as a whole is doing just fine, thx.
The retards still running MS software connected to any sort of network are the only ones doing any 'falling down.'
Re:It's a good thing (Score:3, Insightful)
Re:so what? (Score:3, Funny)
So... not only did SP2 suffer delay upon delay until its release, we now have to put up with the same delays for our windows viruses?
Re:so what? (Score:2, Insightful)
It's great, isn't it? We set up 3 AMD64 servers before I bought one for myself at home.
I can't imagine anyone wanting to criple themselves with Windows on such a great platform.
Re:so what? (Score:5, Insightful)
Sheesh, what's with all the OS hate around here? Linux, Windows, BSD, Mac OS, Mac OS X, etc are just tools. Tools that can help you get jobs done. Use the best tool for the job. I wouldn't imagine editing video on anything but OS X, just like I wouldn't imagine playing games on anything but Windows, just like I wouldn't imagine running a dedicated server on anything but Linux.
No one OS is crippling. Limiting yourself due to fanaticism is.
Re:so what? (Score:2)
Not true. I happen to have XP64 installed, and you cannot run all the latest games and commercial software. A lot of software doesn't work. Even firefox refuses to run on XP64 without turning off NX protection.
And Doom3 won't run at all.. there is no way to run Doom3 on XP64.
Re:Mod parent up (Score:2, Informative)
deserves at least a 0, funny. I mean, it's not that funny, but it's not a troll.