A puzzle called SafeSys
Posted by: Marco Giuliani
Investigating new and uncommon infection vectors is sometimes enriching and useful for us, allowing us to break from the usual trend of classic piece of malicious softwares which are all but technically advanced.
Everyone in the security industry could see what's happened during last years: an increase of malware volume but a high decrease of their code complexity. Most of malwares have nothing interesting to analyze, they are often variants, or repacked versions of some older variant. This doesn't necessarily mean there aren't anymore non trivial infections, but instead that they are more rare than before.
Everyone who tried to clean an heavily infected PC would admit that sometimes it would be easier to format and reinstall everything than trying to fix up all the running infections. This is where a new kind of security softwares break in.
More and more people are using security softwares which are able to freeze system status and redirects everything that is going to happen on the system to a temporary store. Then, at system restart, every modify to the system is eliminated and the system starts again at the original status when it was freezed by the security software.
This is a fantastic solution for everyone who want to leave one or more PCs available to the people but they want to be sure any damage is done to their systems. Same solution is used for people who want to analyze or test applications but they don't want to install it on the real system.
It's an easy game, where you only have to follow some simple steps: save status of the system,do what you want, restart the system and every modify will be deleted.
It must have been a nightmare for some users when they saw that, even after system restart, a malicious piece of software was still there. Moreover because who use these kind of softwares is convinced that everything is filtered and cleaned at system restart, so they often don't feel they have to use any other way to prevent malware. They just know that even if a malware harvests the system, it will be erased at next system reboot.
There have been a lot of rumors about a new kind of malware who was able to bypass these security softwares, and was able to write directly to the disk so that it could survive at system reboots. Is this true or false? It is sadly true, but this was expected to happen sometimes soon. The problem is located at the design of these softwares and how they are implemented.
When a software tries to read or write a file on the disk, its request pass through a chain of drivers which handle it. Everytime a driver has finished its work, send the request to the next lower driver and so on until the request is satisfied and the software receive all the data it needed.
The request of reading and writing to the disk is firstly handled by a file system driver, which pass it to the disk.sys driver. This last one is used to interface the system with physical hard drives. This is where those security softwares usually sit, filtering out every attempt to write to the disk and redirecting it to a temporary store. It's an effective solution which does indeed do its job.
Two problems now arise. First is that users are believed they can do everything if they are protected by these kind of softwares because at next restart everything is restored to the original clean state. The next logical step to this concept is that they run with admin privileges. Who cares if even a kernel mode rootkit is installed? Everything will be gone if the system is restarted. Wrong
This is a minefield. Even if you run protected by these kind of security softwares, if you run softwares with admin privileges you are giving malwares the key of ring0, the access to kernel mode. Now, in kernel mode, malware and security software are playing with exactly same rules, same advantages and disadvantages.
Disk.sys is not the last driver invoked by an IRP request of reading/writing to the disk. After disk.sys has finished its job, it forward the request to next lower devices until it reaches the atapi.sys driver, which is the real responsible of communicating between the system and physical hard drives.
So, try to guess what would happen if a malware is able to communicate directly to atapi.sys, sending commands directly to this driver without following the usual chain of drivers.
This is what is doing the malware known as SafeSys, which is indeed able to directly overwrite a system file so that at next system restart, even if everything should be theoretically deleted, the malware is still loaded and can do its dirty job.
I won't discuss more in detail what the malware is doing, what I've said should be enough to let people understand that trusting to only one security software doesn't really help you preventing infections.
8 comments so far
- Jarno on Jul 23 7:33, 2009
- Hari on Jul 29 23:58, 2009
- Ste_95 on Aug 11 8:28, 2009
- irorcilybrino on Sep 30 16:52, 2009
- marcus on Oct 8 22:50, 2009
- BloggerDude on Oct 9 0:34, 2009
- Edward Lane on Oct 11 2:16, 2009
Restricted user account are a fix here, prevent this malware? Happy to hear that. And PrevX 3.0 detects I'm sure. Keep up the good work!!
Thanks for the article. Very interesting. Being IT Security Consultant, I am always amazed how bad guys find a way to move in, again even more amazed how the good guys like you find solutions. Still, it a game that all of us have to play all along.
Thanks for the insight and good work.
PS: I was a kind of felt safe with reboot to restore technology, until recently I had to format a PC installed with that software and infected by malware (I could not find the name of the malware at that time).
Very interesting!
I would try the malware, but I can't contact you. Can you send me a sample?
Thanks!
Dangerous position keep up your good work.
does anybody has the copy of this worm or of its codes so we can try to decode it and prevent future infections?
I don't know If I said it already but ...Hey good stuff...keep up the good work! :) I read a lot of blogs on a daily basis and for the most part, people lack substance but, I just wanted to make a quick comment to say I'm glad I found your blog. Thanks,)
A definite great read....
what a great site and informative posts, I will add a backlink and bookmark your site. Keep up the good work!
A malware which was found in july 08 and labeled as "MachineDog" did exactly the same. Two possible solutions exists to evade this problem. Firstly you may use a hardware component which physically intercepts the data bus. Or secondly restore your systems by booting via PXE and by overwriting the complete disk with a stored image (have a look to the opensource imaging solution Fog).
But attention bios infections are still possible :).
Cheers