Jump to: navigation, search

Malware

Malware[edit]

The Importance of a Malware Free System

The integrity of the host is a critical part of the system's Trusted Computing Base. If the host system is compromised by malware so is every Whonix virtual machine, Tor process and communication thought to be anonymous. Malware has malicious intent and can potentially:[1]

  • View and take snapshots of your desktop;
  • Peruse files and folders;
  • Gain access to protected data when decrypted;
  • Exfiltrate, corrupt or destroy data (particularly financial and personal information);
  • Damage operating system functionality;
  • Encrypt the contents of your drive(s) and demand payment for decryption (ransomware);
  • Display unwanted advertising;
  • Install unwanted software;
  • Install persistent rootkits or backdoors;
  • Track browsing and other behaviour;
  • Remotely turn on webcams and microphones;
  • Use your "zombie" computer as part of a botnet for spam email, DDOS attacks or the hosting of illicit / illegal material; and
  • Record everything you type, send and receive.


The Utility of Antivirus Tools

Antivirus products and personal firewalls are not drop in solutions for a secure host. Malware can often stay undetected and evade scans, while application level personal firewalls are often circumvented. [2] Polymorphic code and rootkits essentially render antivirus products helpless. [3] [4]

Antivirus tools are actually worse than useless. In the case of sophisticated and targeted attacks, the antivirus software can serve as a pathway to exploiting a system's kernel, since they almost always run with administration level privileges.[5] Antivirus software also harms your privacy by sending system files back to the company servers for analysis. The software also actively conducts man-in-the-middle attacks on secure SSL connections, enabling very sensitive information to be viewed.[6]

Preventing Malware Infections

The optimal scenario is to not get infected by malware in the first place. Once malicious code has accessed a system, it is next to impossible to contain. Sensible steps include: hardening the operating system, carefully vetting programs and files that are retrieved from the internet, and using hypervisors (virtualizers) to isolate software that processes untrusted data.

Detecting Malware Infections

Detecting off-the-shelf (standardized) malware is a very hard problem and conceptually a lost cause. If uncustomized malware is widespread enough, then it has a chance of being detected by a technician. Tailored malware might also get detected by a technician, but the likelihood is low unless they are lucky or gifted.

Non-technical users don't have many good options. You can either:

  • Spend a few years to rapidly increase your knowledge base of operating systems, network protocols, package analysis, programming, disassembly etc., and then try your luck;
  • Pay exorbitant sums to a technician to try and find system malware, even though there is no certainty of success; or [7][8]
  • Seek the voluntary assistance of a technician to find malware, if you are both a high value target and have a reasonable rationale for why you are likely compromised.[9]

Firmware Trojans[edit]

Once infected with a very sophisticated malware that modifies low-level firmware, it can be very difficult to detect in almost all cases. Note this should not be confused with hardware/circuit trojans which are malicious modifications made to machine components during the manufacturing process (though even those are not immune to detection[10]).

Can a virtualizer such as Qubes, VirtualBox, KVM etc. prevent hardware compromise?

Running everything inside VMs is a very reasonable approach. However, it only raises the bar and makes it more difficult / expensive to compromise the whole system. It's not a perfect solution.

No distribution of Linux (or Xen, or...) like Debian, Qubes, BSD or other variants can solve the issue of not needing to dispose of potentially infected hardware. Hardware-specific issues can only really be fixed at the hardware level. At best, software interventions can only provide workarounds.

The problem is that there is no hardware that consists of entirely Libre firmware. It is very difficult to: analyze the firmware of hardware, wipe potentially compromised versions, or overwrite firmware with a most-likely-clean version. If the firmware being used was Libre Software, it would make verification easier but wouldn't stop infection. Disassembling hardware components (BIOS, disk controllers, CPU, Intel AMT etc.) and flashing them with clean versions offline is so difficult, that it's just cheaper and more convenient to buy new hardware.

A hypothetical stateless computer [11][12] would deal with persistence of malware, but it cannot protect against damage (data-exfiltration) done by successful exploitation.

Bundling undesirable anti-features like DRM in closed firmware is further evidence that we need Libre firmware in addition to Libre hardware designs.

See Also[edit]

Computer Security Education

References[edit]

  1. https://en.wikipedia.org/wiki/Malware
  2. https://www.grc.com/lt/leaktest.htm
  3. http://arstechnica.com/security/2014/05/antivurus-pioneer-symantec-declares-av-dead-and-doomed-to-failure/
  4. A botnet author brags in this thread of writing unbeatable malware and trolling antivirus vendors.
  5. https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/
  6. https://bugs.chromium.org/p/project-zero/issues/detail?id=978
  7. The salary costs for a security researcher / malware analyst over an extended period rule this out for most individuals.
  8. https://forums.whonix.org/t/document-recovery-procedure-after-compromise/3296/12
  9. Only a select group of people fall into this group, for instance, whistleblowers targeted and infected by tailored viruses. They might be able to locate experts willing to conduct analysis pro bono; later publicizing their findings for the public benefit.
  10. https://en.wikipedia.org/wiki/Hardware_Trojan#Detecting_Hardware_Trojans
  11. https://blog.invisiblethings.org/2015/12/23/state_harmful.html
  12. https://github.com/rootkovska/state_harmful/blob/master/state_harmful.md

Random News:

Please consider a recurring donation!


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, the content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.