Actions

Malware

From Whonix

Malware[edit]

Info The integrity of the host is a critical part of the system's Trusted Computing Base. If the host system is compromised by malware, so is every Whonix virtual machine, Tor process and communication thought to be anonymous.

The Importance of a Malware Free System[edit]

Malware has malicious intent and can potentially: [1]

  • View and take snapshots of the desktop.
  • Peruse files and folders.
  • Gain access to protected data when decrypted.
  • Exfiltrate, corrupt or destroy data (particularly financial and personal information).
  • Damage operating system functionality.
  • Encrypt the contents of a drive(s) and demand payment for decryption (ransomware).
  • Display unwanted advertising.
  • Install unwanted software.
  • Install persistent rootkits or backdoors.
  • Track browsing and other behaviour.
  • Remotely turn on webcams and microphones.
  • Create "zombie" computers which form part of a botnet for spam email, DDOS attacks or the hosting of illicit / illegal material.
  • Record everything a user types, sends and receives.

Targeted Malware vs Off-The-Shelf Malware[edit]

Targeted malware is the opposite of off-the-shelf malware.

Targeted malware is specifically crafted against a known target to attack a specific system or limited amount of systems only with the goal to avoid detection by avoiding getting installed on too many where qualified people might detect the malware and publish about it.

On other other hand, off-the-shelf malware attempts to spread in bulk against bigger groups or the general public with the goal of taking over as many systems as possible.

The Utility of Antivirus Tools[edit]

Antivirus products and personal firewalls are not drop in solutions for a secure host. Malware can often stay undetected and evade scans, while application level personal firewalls are often circumvented. [2] Polymorphic code and rootkits essentially render antivirus products helpless. [3] [4]

Antivirus tools are actually worse than useless. In the case of sophisticated and targeted attacks, the antivirus software can serve as a pathway to exploiting a system's kernel, since they almost always run with administration level privileges. [5] Antivirus software also harms privacy by sending system files back to the company servers for analysis.[6] The software also actively conducts man-in-the-middle attacks on secure SSL connections, enabling very sensitive information to be viewed. [7]

Preventing Malware Infections[edit]

The optimal scenario is to avoid infection by malware in the first place. Once malicious code has accessed a system, it is next to impossible to contain. Sensible steps include: hardening the operating system, carefully vetting programs and files that are retrieved from the Internet, and using hypervisors (virtualizers) to isolate software that processes untrusted data.

Detecting Malware Infections[edit]

Detecting off-the-shelf (standardized) malware is a very hard problem and conceptually a lost cause. If uncustomized malware is widespread enough, then it has a chance of being detected by a technician. Tailored malware might also get detected by a technician, but the likelihood is low unless they are lucky or gifted.

Non-technical users do not have many good options. They can either:

  • Spend a few years to rapidly increase their knowledge base of operating systems, network protocols, package analysis, programming, disassembly etc., and then try their luck.
  • Pay exorbitant sums to a technician to try and find system malware, even though there is no certainty of success. [8] [9]
  • Or seek the voluntary assistance of a technician to find malware, if they are both a high value target and have a reasonable rationale for why they are likely compromised. [10]

Firmware Trojans[edit]

Info Once a user is infected with very sophisticated malware that modifies low-level firmware, it is extremely difficult to detect in almost all cases.

Firmware infections should not be confused with hardware/circuit trojans, which are malicious modifications made to machine components during the manufacturing process. Despite their sophistication, circuit trojans are not immune to detection. [11]

Virtualizers and Hardware Compromise[edit]

Virtualizers like Qubes, VirtualBox and KVM cannot absolutely prevent the compromise of hardware. Running all activities inside VMs is a very reasonable approach. However, this only raises the bar and makes it more difficult and/or expensive to compromise the whole system. It is by no means a perfect solution.

No distribution of Linux, BSD, Xen or any other variant can solve the issue of needing to dispose of potentially infected hardware. Hardware-specific issues can really only be fixed at the hardware level. At best, software interventions can only provide workarounds.

The Promise of Libre Firmware[edit]

The problem is no hardware exists that consists of entirely Libre firmware. It is very difficult to analyze the firmware of hardware, wipe potentially compromised versions, or overwrite firmware with a most-likely-clean version.

Even if a user wholly depended on Libre firmware, this would only make verification easier but it could not stop infection. Disassembling hardware components -- BIOS, disk controllers, CPU, Intel AMT and so on -- and flashing them with clean versions offline is extremely difficult. It is simply cheaper and more convenient to buy new hardware.

The bundling of undesirable anti-features like DRM in closed firmware is further evidence that Libre firmware is needed, in addition to Libre hardware designs.

A hypothetical stateless computer [12] [13] would solve the problem of malware persistence, but it still could not protect against the damage (data-exfiltration) caused by successful exploitation.

Indicators of Compromise[edit]

Info Reminder: Whonix ™ is not perfect. The security, anonymity and privacy issues facing society are great, but there are few volunteers who are seriously investing the effort to challenge and resolve them.

Introduction[edit]

If you are reading this page, then it is safe to assume being anonymous (less unique), and remaining so is of great interest. Users with a serious intention to research these issues are encouraged to assist in accordance with their skills. Testing, bug reporting or even bug fixing are laudable endeavors. If this process is unfamiliar, understand that about thirty minutes is required per message / identifier to ascertain if the discovered result [14] is a false positive, regression, known or unknown issue.

To date, none of the various leak testing websites running inside Whonix-Workstation ™ were ever able to discover the real (external), clearnet IP address of a user during tests. This held true even when plugins, Flash Player and/or Java were activated, despite the known fingerprinting risks. Messages such as "Something Went Wrong! Tor is not working in this browser." [15] (from about:tor) or "Sorry. You are not using Tor." (from check.torproject.org) are in most cases non-issues. If the real, external IP address can be revealed from inside Whonix-Workstation ™, then this would constitute a serious and heretofore unknown issue (otherwise not).

It is unhelpful to ask questions in forums, issue trackers and on various mailing lists with concerns that have already been discussed, or which are known issues / false positives. In all cases, please first search thoroughly for the result that was found. Otherwise, the noise to signal ratio increases and Whonix development is hindered. Users valuing anonymity don't want this, otherwise this would violate the aforementioned assumption.

If something is identified that appears to be a Whonix ™-specific issue, please first read the Whonix Free Support Principle before making a notification.

Detection of System Changes[edit]

If trivial changes are noticed on your system -- such as a duplicate deskop icon -- this is not evidence of a hack or leak. Similarly, if warning or error messages appear that are difficult to understand, in most cases there is no need for panic. If something unexpected occurs such as the appearance of a "htaccess file in home directory", or graphical glitches emerge in Arm, then it is more likely a harmless bug and/or usability issue rather than a compromise.

Skilled attackers do not leave such obvious traces of their breach. An infection by tailored malware is more plausible in this scenario and this is virtually impossible to detect by reading random messages in system logs. Even malware that is bought off-the-shelf (malware building toolkits) are unlikely to be discovered by cursory inspections. [16] Rootkit technology is no doubt a standard feature of the various programs.

Strange files, messages or other system behavior could feasibly relate to an attacker wanting the user to find something. However, the likelihood of this kind of harassment is considered low. Script kiddies ("skiddies") are unskilled attackers who uses scripts or programs to conduct attacks on computer systems and networks, most often with juvenile outcomes. For example, they might use programs to remotely control poorly-secured Windows desktops, trolling their victims from an open, forced chat window, opening their DVD drive and so on. It is improbable that skiddies can achieve similar exploits against Linux, Xen or BSD platforms. [17] Sophisticated attackers generally avoid detection, unless the user is unlucky enough to be a victim of Zersetzung (a psychological warfare technique).

Every forum post and support request requires time that could otherwise be directed to Whonix ™ development. Unless there is genuine evidence of a serious and credible problem, there is no need for a new post. Developers and the Whonix ™ community at large do not have enough time to explain every message that Linux might report. In most cases, they are not important and outside the control of Whonix ™ developers.

Related:

See Also[edit]

Computer Security Education

References[edit]

  1. https://en.wikipedia.org/wiki/Malware
  2. https://www.grc.com/lt/leaktest.htm
  3. http://arstechnica.com/security/2014/05/antivurus-pioneer-symantec-declares-av-dead-and-doomed-to-failure/
  4. A botnet author brags in this thread of writing unbeatable malware and trolling antivirus vendors.
  5. https://theintercept.com/2015/06/22/nsa-gchq-targeted-kaspersky/
  6. https://www.schneier.com/blog/archives/2017/10/more_on_kaspers.html
  7. https://bugs.chromium.org/p/project-zero/issues/detail?id=978
  8. The salary costs for a security researcher / malware analyst over an extended period rule this out for most individuals.
  9. https://forums.whonix.org/t/document-recovery-procedure-after-compromise/3296/12
  10. Only a select group of people fall into this group, for instance, whistleblowers targeted and infected by tailored viruses. Experts might be located who are willing to conduct analysis pro bono; later publicizing their findings for the public benefit.
  11. https://en.wikipedia.org/wiki/Hardware_Trojan#Detecting_Hardware_Trojans
  12. https://blog.invisiblethings.org/2015/12/23/state_harmful.html
  13. https://github.com/rootkovska/state_harmful/blob/master/state_harmful.md
  14. From a browser test website, in a log file and so on.
  15. https://forums.whonix.org/uploads/default/original/1X/c2c9bb5dc7efee7a933dd00d3bf0c30c29c99daa.png
  16. Interested readers can verify these claims by researching off-the-shelf malware building toolkits. They are dangerous to install for inexperienced users, but there is a wealth of information online such as screenshots and video tutorials.
  17. It is unclear if script kiddie programs are readily available for attacking non-Windows users.

[advertisement] Looking to Sell Your Company? Contact me.


Have you contributed to Whonix ™? If so, feel free to add your name and highlight what you did on the Whonix authorship page.

https | (forcing) onion
Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png 1024px-Telegram 2019 Logo.svg.png

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.