Author Topic: Can ram get infected with a rootkit and also survive a reboot?  (Read 307 times)

0 Members and 1 Guest are viewing this topic.

July 02, 2017, 04:48:42 pm

RussellMania

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
I know that when you shut down your computer all ram is lost. If all memory is cleared from ram, how does memory-resident malware work. This type of malware hides in ram and doesn't store any files on the hard drive. This type of malware is very stealthy because it doesn't require any files. If the malware never touches the hard drive, shouln't the malware be gone when you power off your PC. I'm a little confused how this type of malware works. Thanks!

https://www.techopedia.com/definition/32505/memory-resident-malware
https://www.lumension.com/application-control-software/advanced-memory-protection.aspx

Reply #1July 02, 2017, 05:59:24 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 1791
  • Reputation:
    67
    • View Profile
Re: Can ram get infected with a rootkit and also survive a reboot?
« Reply #1 on: July 02, 2017, 05:59:24 pm »
Hi Russell,

Welcome to Adlice.com Forum.
These articles are confusing because of the lack of clear definition of such "memory-resident" malware.

As you correctly stated, RAM content is lost when Windows is shutted down (to be more specific, when the motherboard is not electrically powered any more). However malware code must be stored somewhere to be restored at each system boot. Such code can be stored on disk as file (the "classic" way), as Windows Registry value (Poweliks-like) or as raw data blocks (bootkits like TDL4, for exemple). All of these methods write data on disk but usually the latter two are considered "fileless" malware by the antivirus industry.

The only type of malware that doesn't use the HDD to store data are firmware malware that overwrite devices EEPROM or NVRAM to implement malicious code (see Hacking Team's "Bad BIOS" for details).

Regards.

Note : This thread has been moved to the "General Discussion" section for clarity.

Reply #2July 09, 2017, 08:41:14 am

RussellMania

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Can ram get infected with a rootkit and also survive a reboot?
« Reply #2 on: July 09, 2017, 08:41:14 am »
thank you for a good explanation.

Reply #3July 09, 2017, 08:42:46 am

RussellMania

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Can ram get infected with a rootkit and also survive a reboot?
« Reply #3 on: July 09, 2017, 08:42:46 am »
I'm new to this site, is their any way I can leave positive feedback or give you a good rating.

Reply #4July 09, 2017, 06:22:15 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 1791
  • Reputation:
    67
    • View Profile
Re: Can ram get infected with a rootkit and also survive a reboot?
« Reply #4 on: July 09, 2017, 06:22:15 pm »
Hi Russell,

You are welcome.
If you with to give us positive feedbacks, please visit the products page displayed on www.adlice.com and leave a comment.
You can share our posts on social medias as well.

Regards.

Reply #5July 10, 2017, 05:01:43 am

RussellMania

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Can ram get infected with a rootkit and also survive a reboot?
« Reply #5 on: July 10, 2017, 05:01:43 am »
Are the new TDL-4 bot nets really indestructible. I have read that the new fangled rootkits and bootkits can survive reflashing. When you update the BIOS, you have to rely on the infected firmware. The firmware can lie and pertend to update, (hiding and storing the clean copy). If for some reason you are able to reflash and update the BIOS successfully, The BIOS can get reinfected if another piece of firmware is already infected. Malware can hide in a lot of places (CPU, Video card, USB peripherals, DVD burner, etc.) It would make cleanup after an attack really hard if not impossible.

If malware finds its way in the video card and reprograms the video card and alters the boot sequence so the Video card boots first, is this a hypervisor rootkit. I have posted a link of my PC infected with what I believed to be a hypervisor rootkit. It didn't matter how many times I wipe the disc, the malware was there, like it came bundled with the PC. It started out by calling home as soon as I connected online and after the sixth reinstall, the malware didn't have to call home anymore. I also noticed something odd, when Windows was loading and updating system settings it said loading hypervisor drivers. This is why I believe that my OS was running in a Virtual Machine.

https://m.youtube.com/watch?v=LUKk-U3YdV8

Reply #6July 10, 2017, 02:30:46 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 1791
  • Reputation:
    67
    • View Profile
Re: Can ram get infected with a rootkit and also survive a reboot?
« Reply #6 on: July 10, 2017, 02:30:46 pm »
Hi Russell,
Quote
Are the new TDL-4 bot nets really indestructible
TDL4 is dead and not used any more.

Quote
I have read that the new fangled rootkits and bootkits can survive reflashing. When you update the BIOS, you have to rely on the infected firmware.[...]
The updating routine cannot be overwritten on modern BIOS motherboard, so it's not an issue.

Quote
Malware can hide in a lot of places (CPU, Video card, USB peripherals, DVD burner, etc.) It would make cleanup after an attack really hard if not impossible.
Firmware malware are device-specific and only exists for now as proof-of-concept (like BadUSB).

Quote
[...] is this a hypervisor rootkit.[...]
No, it's not. Hypervisor Rootkits do not compromise firmware code.

Regards.

Reply #7July 11, 2017, 10:16:39 am

RussellMania

  • Newbie

  • Offline
  • *

  • 9
  • Reputation:
    0
    • View Profile
Re: Can ram get infected with a rootkit and also survive a reboot?
« Reply #7 on: July 11, 2017, 10:16:39 am »
If TDL-4 botnets are dead, then what type of botnets are in use today; I would only assume that the botnets used today (2017) are a lot more severe and even more stealthy.

I have talked to a few people that have heard of badusb and they say its the worst thing that can happen to you. Tech experts that have heard of badusb won't even touch your PC or attempt recovery on any of USB storage devices if you tell them that you are infected with badusb because they don't want to infect all their devices. You mentioned that infecting firmware would be difficult because its vender specific; Couldn't a hacker use badusb as a way to infect your BIOS and other PC components. A hacker can discover what OS your using, what motherboard and BIOS version you are using and slowly discover what other hardware you are using. The hacker then can use a series of zero day exploits specific to each vender and infect all your PC components; granted it would take some time, but it would be possible and could be pulled off. My main concern about badusb is the ability to infect the actual USB port on your motherboard or case; Every device you plug in via usb can and will get infected. If you plug your phone or tablet into the PC, a hacker could infect and exploit the device you connected via usb. It would take longer to infect an Iphone or Ipad, but It could be done. Most people have never heard of Juice Jacking and it is becoming more of a problem; Your home computer or laptop can be used as a juice jacking device, but it gets even worse. When you take that same infected device and plug it in, lets say your USB wall charger, your car, or a smart charging hub; The phone or tablet will act as as a deployment platform and will infect any USB device that you plug your phone or tablet into (reverse juice jacking). I suspect that most people will become compromised and remain compromised permanently.
https://m.youtube.com/watch?v=LvpVs8bM0_s

What is a hypervisor rootkit and what makes it worse then a firmware rootkit. I read that hypervisor rootkit comes under both firmware and hardware rootkits.
http://www.rootkitanalytics.com/firmware/hypervisor.php

What type of malware do you think I had. The malware allowed other hackers to connect to my PC. If I wiped my drive clean using zero fill, my PC would appear clean with with no traces of malware, but if I connected online, the malware would  call home and download the rest of the malware. After reinstalling my OS 6 times, the malware didn't need to call home anymore. The scary part was, hackers could connect to my PC even if my PC had no Internet connection at all. I had a tech look at it and he fixed part of it, hackers would no longer could connect to my PC. I called the Tech and told and told him that the Malware was still present and I suspected the GPU was still infected. He told me that what I was describing was impossible. I came to this conclusion because its the only logical explanation I could come up with; It would be impossible to store 1-2 GB of malware in the MBR or BIOS. It was like the GPU was running its own OS system (PC was running in the Matrix). I removed the Video card, did another zero fill on the drive and it was pretty much back to normal, no traces of the malware. The DLL injections went away, no more KDOM DLL or other suspicious files being injected when I entered safe mode. I still experienced alternate data streams and redirects. I then tried removing one of the Logitech unifying receivers and everything went back to normal.

If black hackers can exploit these vulnerabilities, then what makes you think that the NSA/CIA or another foreign government with unlimited funding can't. These types of rootkits are not in the wild, but that doesn't mean they don't exist; It only means that a select few may have been targeted.





 

Reply #8July 11, 2017, 03:12:46 pm

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 1791
  • Reputation:
    67
    • View Profile
Re: Can ram get infected with a rootkit and also survive a reboot?
« Reply #8 on: July 11, 2017, 03:12:46 pm »
Hi Russel,

Botnets are not on the rise today, ransonware are.
I won't discuss proof-of-concepts here because, like I said, they are very specific. However, here are some talks that may interess you :
Regards.