Rakshasa: Is it Possible to Design the Perfect Hardware Backdoor?

Wednesday, August 01, 2012

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee

(Translated from the original Italian)

Every day we read about new powerful variants of malware of increasing complexity used in fraud schemas by cyber criminals and in cyber attacks during state sponsored operations in cyber warfare scenarios.

This malicious software represents a wide range of purposes and functionalities, they are used to steal information or to destroy control systems, but all are united by the possibility to immunize the infected systems once the agent is discovered.

Researcher Jonathan Brossard proposed, at the Black Hat security conference in Las Vegas, a new strain of malware that’s quite impossible to disinfect once it has compromised the victim host.

Brossard has named his agent “Rakshasa”, defining it a “permanent backdoor” that is hard to detect, and quite impossible to remove.

"It must be clear that the researcher hasn’t found a new vulnerability but he has demonstrated how much hard is to detect a backdoor that use similar mechanism of infection.  'It’s a problem with the architecture that’s existed for 30 years. And that’s much worse.'"

The abstract states that permanent backdooring of hardware is certainly feasible.  Rakshasa in fact is able to compromise more than a hundred of different motherboards.

How does Rakshasa work?

Rakshasa malware infects the host’s BIOS and takes advantage of a potentially vulnerable aspect of traditional computer architecture, as any peripheral like a network card or a sound card can write to the computer’s RAM or to the small portions of memory allocated to any of the other peripherals.

First the malware permanently disables security features such as NX, a feature important for protection against malware, viruses, and exploits, It also remove fixes for System Management Mode (SMM), an operating mode in which all normal execution (including the operating system) is suspended and special separate software, usually firmware or a hardware-assisted debugger, is executed in high-privilege mode.

With these few steps the attacker has reduced the security of the machine, and at this point the malware completes the erasing of hard disks while installing new a new operating system.

The researcher also added:

"We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort."

The name assigned to the malware is the same of a mythological demon or evil spirit of Hinduism, known for the habit of owning human beings, famous for the ability to change appearance and do magic, exactly as the malware does with its victims.

Due to the mechanism of infection, in order to sanitize the PC it's necessary to flash all the devices simultaneously to avoid the chance that during the disinfection a device is not affected by the other compromised components.

Brossard declared:

“It would be very difficult to do. The cost of recovery is probably higher than the cost of the laptop. It’s probably best to just get rid of the computer.”

Rakshasa has been developed with open source BIOS software,  including the Coreboot project and Sea BIOS, and thanks to their compatibility with the majority of hardware, it's hard to detect it.

When the machine boots up the malware downloads all the malicious code that it needs, of course it disables the resident antivirus and stores the code in memory, avoiding leaving a trace on the hard disk that could give evidence of the infection.

The most important issue regarding Rakshasa malware is not related to its capability to infect victims randomly, as Brossard alerted the scientific community of the possibility to use the agent as backdoor in hadware. In many cases it has raised suspicioins of the possible presence of a backdoor inside Chinese devices, especially in telecommunications.

The hardware qualification is a serious problem, and consider the impact of a compromised device in a military environment, or in a massive distribution of technological systems of large diffusion.

The researcher reports:

“The whole point of this research is to undetectably and untraceably backdoor the hardware... What this shows is that it’s basically not practical to secure a PC at all, due to legacy architecture. Because computers go through so many hands before they’re delivered to you, there’s a serious concern that anyone could backdoor the computer without your knowledge.”

Intel, after reviewing the paper proposed by Brossard, declared:

“There is no new vulnerability that would allow the landing of the bootkit on the system.” The company’s statement argues that it wouldn’t be possible to infect the most recent Intel-based machines that require any changes to BIOS to be signed with a cryptographic code. and it points out that Brossard’s paper “assumes the attacker has either physical access to the system with a flash programmer or administrative rights to the system to deliver the malware. In other words, the system is already compromised with root/administrative level access. If this level of access was previously obtained, a malicious attacker would already have complete control over the system even before the delivery of this bootkit.”

The abstract is really interesting, and as we always discuss the theoretical existence of backdoors in Chinese devices, the proof of concept gives more information on how a backdoor might work and how hard is to detect if it is implanted directly in the production process with cyber espionage intent.

The case introduced by the researcher provides the opportunity to discuss again the possibility to develop a secret and efficient backdoor, a dangerous cyber weapon that every government is dreaming of.

Of course we have spoken of backdoors that could be introduced simply by manufactures, and that’s why in every cyber strategy the problem of the qualification of the security level of the appliances is crucial.

The main problem is in being able to discover similar backdoors in products that daily pervade our markets.

Cross-posted from Security Affairs

Possibly Related Articles:
14496
Viruses & Malware
Information Security
malware Research Attacks Hardware Proof of Concept Intrusion Detection backdoor BIOS Rakshasa
Post Rating I Like this!
Af9c34417f8e5e0d240850bb353b5d40
Keith Mendoza Ironically, my second blog post for Infosec Island dealt with using the hardware layer as a backdoor (https://infosecisland.com/blogview/13426-Is-Too-Much-Focus-Put-on-the-Application-Layer.html). Looks like someone has proven my worst fear.
1343848197
Af9c34417f8e5e0d240850bb353b5d40
Keith Mendoza Let me rephrase that: In my second blog post, I mentioned using the hardware as the attack vector because of bad code. Looks like, it's finally happened.
1343848446
03b2ceb73723f8b53cd533e4fba898ee
Pierluigi Paganini Hi Keith .. yes is it's happened. The presence of backdoor is a serious risk ... a reality to fight
1343854216
35d93e1eda881f6e3dde4e87428a975e
Michael Johnson I wonder how long such a backdoor could remain undiscovered on a network where outgoing traffic is being monitored by admins. The good news is it wouldn't be much harder to detect than the standard rootkit - after all, the attacker (or C&C server) still needs to learn the IP address of the owned machine.
An attacker with this capability is more likely to backdoor the gateway router, where there's minimal chance of discovery.
1343897096
03b2ceb73723f8b53cd533e4fba898ee
Pierluigi Paganini Hi Michael ... sincerely I don't know. I can imagin adaptive algorithms that use various ip hiding traffic in ordinal network access of the victims
Regards
PL
1343992099
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.