Japan Building Automatic Cyber Defense Virus

Japan steps it up a notch in the cyber war arena. Apparently the Japanese government has hired IT product giant Fujitsu to create a cyberweapon virus that will automatically seek out and destroy enemy viruses:

“The three-year project was launched in fiscal 2008 to research and test network security analysis equipment production. The Defense Ministry’s Technical Research and Development Institute, which is in charge of weapons development, outsourced the project’s development to a private company. Fujitsu Ltd. won the contract to develop the virus, as well as a system to monitor and analyze cyber-attacks for 178.5 million yen.”

That’s a cool 2.3 million to create an offensive cyber defense system that will not only detect an attack, but will backtrack and seek out the attacker, even when attackers bounce through several proxy systems.  According to the article the “virus” will disable the incoming attack and record forensics data.

The defensive program almost acts like a human immune system tracking down and weeding out invading viruses. Systems like these are needed when facing the latest advanced threats.

Actually computer scientists and engineers are currently studying the human immune system to try to replicate it for computer defense.

Though automated cyber defense systems are classified, from what public data is available the US has had this capability for at least a couple of years now. US computer security company Rsignia comes to mind immediately. Rsignia creates cutting edge security devices used by the US government and in the US-CERT Einstein program.

We covered Rsignia’s Cyberscope automated offensive cyber weapon system back in 2010.

Cyberscope has the ability to detect and automatically counterattack incoming threats. It has several options that it can use in response. For example it can simply shut the attacking stream down or intercept the data that it being ex-filtrated, manipulate it, and feed it back to the attack. Or better yet, it can even infect the proxy machines used and turn them into bots to counter attack the infiltrator.

These were the capabilities openly discussed in mid-2010, who knows how far the US has advanced since.

Chinese Security firm Discovers new BIOS based Virus

Chinese AV company 360 discovers a new Troajn, the “BMW Virus” (also called Mebromi), that can actually infect a computers BIOS:

“BMW 360 Security Center virus is the latest catch of a high-risk virus, the virus that infected a chain BIOS (motherboard chip program), MBR (master boot drive) and Windows system files, reinstall the system, regardless of the victim computer, format the hard disk, or replace the hard disk can not completely remove the virus.” – Translated 360 page

According to The H Security, when a system is infected, the trojan checks to see if the system has an Award Bios. If it does, it hooks itself to the BIOS. Once the system is restarted, it adds itself to the hard drive’s master boot record (MBR). Next it infects the winlogon.exe or winnt.exe system files (depending on Windows OS version).

The malware also is a Trojan downloader, it will connect out and try to download other viruses to the infected system.

If the system uses a BIOS other than Award, the Trojan skips trying to write to the BIOS, but still tries to infect the MBR of the boot hard drive.

Removing the virus from the MBR and infected files really has no effect, because as soon as the system is restarted, the BIOS is read and the computer re-infected again.

Seeming most virus companies will not want to create a BIOS cleaning utility, most likely the BIOS would need to be re-flashed to remove the virus infection completely.

Why Anti-Virus can’t Protect you from all Viruses

Very frequently I get asked, “Why didn’t (Insert your favorite AV program here) stop the virus from infecting my computer?” Well, the simple answer is, it was created to bypass it.

People writing exploits know that they must get their virus past Anti-Virus. They also know that most Anti-Virus and intrusion detection programs base protection on signature matching. So they obfuscate their code to bypass it.

At first, hackers found that adding random text strings to the beginning of old, already detected viruses allowed them to bypass scanners. They would actually cut and paste readme.txt files to the beginning of the exploit. Anti-virus makers have figured this out and adjusted their scanning tactics.

Now, most hackers will use an encoding program to modify the exploit code. Several exist, but one of the best I have seen is Shikata_ga_nai. The name comes from a Japanese phrase that literally means “Nothing can be done about it.”

These take the exploit code and modify it so it looks completely different to an anti-virus scanner or an intrusion detection system. Sometimes once through the decoder is not enough to trick a strong scanner, so the programs allow for multiple encoding passes.

I have never seen any anti-virus detect an exploit code that has been passed through Shikata_ga_nai more than twice.

When encoding malware, it is common for a hacker to upload the encoded exploit file to a site like VirusTotal to check it against multiple anti-virus signature bases to see if it would be detected. If the website scanners do not detect the virus, they know they have a pretty good chance of sneaking it past the real thing.

In actuality, many “state of the art” botnets are simply recreations of older ones that have been updated and encoded. Many large corporations have given up depending on anti-virus and intrusion detection systems to stop these threats and instead believe that Network Security Monitoring (NSM) is the answer.

NSM is basically recording all traffic, and looking for suspicious patterns. If you want to learn more, Richard Bejtlich talks about this subject in-depth in his book “The Tao of Network Security Monitoring”. Bejtlich is a security expert, author, presenter and the head of GE’s IT security response team.

Many of the modern advanced threats easily bypass anti-virus and then download other viruses onto your machine. Usually Spammer type viruses. The modern threat creators sometimes actually get paid by spammers to download these additional threats to your system.

This is why you usually don’t get a single virus, but multiple infections when you get a newer virus. And this is why cleaning up viruses in a machine with multiple infections may be a waste of time. Your anti-virus cleaner may not even see the root cause, but the other malware it downloaded.

So when the other ones are cleaned off, the advanced threat checks, sees them missing and simply downloads them again. You could spend hours trying to get these off, and you may never get the root cause.

Most corporate policy nowadays is if your machine gets infected and a single pass of anti-virus cleanup doesn’t get it off, they will just wipe the machine and restore from backup. Some will not even bother with cleanup, seeing that it got past the anti-virus in the first place, and they just wipe and re-install.

Unfortunately, malware has become big business for hackers, Anti-Virus alone cannot protect corporate networks and additional steps must be taken.