Invisible Malware Is Here and Your Security Software Can't Catch It

"Invisible malware," a new breed of malware, is on the march and, if it strikes your servers, there may not be much you can do about it. In fact, you may not even be able to tell that it's there. In some cases, invisible malware lives only in memory, meaning there's no file on your disks for your endpoint protection software to find. In other cases, invisible malware may live in your Basic Input/Output System (BIOS) where it can use one of a few tactics to attack you. In some cases, it may even appear as a firmware update where it replaces your existing firmware with a version that's infected and nearly impossible to find or remove.

"With the advancement in anti-malware and Endpoint Detection and Response (EDR) software making it easier to catch zero-day malware, the malware writers are moving lower on the stack," said Alissa Knight, a senior analyst with Aite Group's cybersecurity practice. She specializes in hardware-based threats. Knight said this new type of malware is being developed that can evade detection by legacy software.

EDR software, which is more advanced than legacy AV packages, is much more effective at catching attacks, and this software uses a variety of methods to determine when an attacker is at work. "The development of EDR [software] makes the black hat respond, and create kernel root kits and firmware root kits, [storing] it in hardware where it can write to the master boot record," Knight said.

It's also led to the creation of virtual root kits, which will boot before the operating system (OS), creating a virtual machine (VM) for the malware so that it can't be detected by software running on the OS. "That makes it almost impossible to catch," she said.

Blue Pill Malware and More

Fortunately, installing a virtual root kit onto a server is still difficult—to the extent that the attackers who are trying it generally work as state-sponsored attackers. In addition, at least some of the activities can be detected and a few can be stopped. Knight says that "fileless malware," which operates only in memory, can be defeated by forcibly powering off the computer on which it's running.

But Knight also said that such malware may be accompanied by what's called "Blue Pill malware," which is a form of virtual root kit that loads itself into a VM and then loads the OS into a VM. This lets it fake a shutdown and restart while letting the malware keep running. This is why you can't just use the shutdown choice in Microsoft Windows 10 ; only pulling the plug will work.

Fortunately, other types of hardware attacks can sometimes be detected while they're in progress. Knight said that one company, SentinelOne, has created an EDR package that's more effective than most, and can sometimes detect when malware is attacking the BIOS or firmware on a machine.

Chris Bates is Global Director of Product Architecture at SentinelOne. He said the product's agents operate autonomously and can combine information with other endpoints when needed. "Every SentinelOne agent is building context," Bates said. He said the context and the events that happen while the context is being built create stories that can be used to detect the operations of malware.

Bates said that each endpoint can take remediation on its own by eliminating the malware or placing it into quarantine. But Bates also said that his EDR package can't catch everything, especially when it happens outside of the OS. A USB thumb drive that rewrites the BIOS before the computer boots is one example.

Next Level of Preparing

This is where the next level of preparation comes in, Knight explained. She pointed to a joint project between Intel and Lockheed Martin that created a hardened series of Intel Xeon processors called the "Intel Select Solution for Hardened Security." The new Intel processors are designed to prevent malware infections by isolating critical resources and protecting those resources.

Meanwhile, Intel has also announced another series of hardware preventative measures called "Hardware Shield," which locks down the BIOS. "This is a technology where, if there's some sort of injection of malicious code, then the BIOS can respond," explained Stephanie Hallford, Vice President and General Manager of Business Client Platforms at Intel. "Some versions will have the ability to communicate between the OS and BIOS. The OS can also respond and protect against the attack."

Unfortunately, there's not much you can do to protect existing machines. "You need to replace critical servers," Knight said, adding that you will also need to determine what your critical data is and where it's running.

"Intel and AMD are going to need to get on the ball and democratize this," Knight said. "As malware writers get better, hardware vendors will need to catch up and make it affordable."

Problem Is Only Worsening

Unfortunately, Knight said that the problem is only going to get worse. "Crime kits and malware kits are going to get easier," she said.

Knight added that the only way for most companies to avoid the problem is to move their critical data and processes to the cloud, if only because cloud service providers can better protect against this kind of hardware attack. "It's time to transfer the risk," she said.

And Knight warned that, at the speed things are moving, there's little time to protect your critical data. "This is going to get turned into a worm," she predicted. "It will become some sort of self-propagating worm." It's the future of cyberwarfare, Knight said. It won't stay the purview of state-sponsored actors forever.

Steps to Take

So, with the future this bleak, what can you do now? Here are some initial steps you should take right away:

  • If you don't already have effective EDR software, such as SentinelOne, then get one now.
  • Identify your critical data, and work to protect it by encryption while you're upgrading the servers that data is on to machines protected against hardware vulnerabilities and the exploits that take advantage of them.
  • Where your critical data must remain in-house, replace the servers that contain that data to platforms that use the hardware technology, such as Hardware Shield or the Intel Select Solution for Hardened Security.
  • Wherever possible, move your critical data to cloud providers with protected processors.
  • Keep training your staff in good security hygiene so that they're not the ones that plug an infected thumb drive into one of your servers.
  • Make sure your physical security is strong enough to protect the servers and the rest of the endpoints in your network. If all of this makes it seem to you that security is an arms race, then you'd be correct.

This article originally appeared on PCMag.com.