In light of some of the recent cyber-attacks, such as the hacking of Sony and Anthem, it’s easy to be pessimistic about the state of computer security today. So the last thing you would want to hear is that an exceptionally powerful new family of malware was recently found and analyzed by Kaspersky Labs, a Russian security research group. The malware is written by ‘The Equation Group,’ a group which authored several other extremely impressive pieces of malware and is linked by independent researchers to the US National Security Agency (NSA). If it feels like current computer security efforts are being beaten more than they should be, they are. I want to share how and why computer security is being overwhelmed by recent threats.

The first and most obvious thing to point at is simply Murphy’s Law, which famously states “Anything that can go wrong, will go wrong.” While obviously said somewhat tongue in cheek, it’s not without any basis. Computers are complex systems, so it’s always going to be harder to make them work right than to mess them up. It’s also true that one failure by the defenders gives the attackers the upper hand; security requires constant work, while attacking requires only a single foothold. Attackers have the easier job.

Leaving The Door Open

One severe handicap is that some of the agencies that should have been protecting computers grew, instead, more interested in breaking in. The NSA had huge spying programs which often included hacking or malware, as did some of its allies, the so-called ‘Five-Eyes’ nations. More dangerously, the NSA intentionally introduced flaws into system design to assist in snooping-such as the program AURORAGOLD, designed to compromise cell networks. The NSA, originally respected as the premier cybersecurity group in the world, often had opportunity to audit or review new software or algorithms, giving it plenty of opportunities for mischief.

Although these agencies have a vested interest in maintaining the security of their nation’s infrastructure, they chose to do so by intentionally weakening software and using these weaknesses to spy on those they consider to be dangerous, rather than focusing on strengthening software to resist cyber-attacks.

Exploits and Payloads

Another contributor to the success of attackers is increasing payload sophistication. In order to understand this, you have to know that there are two primary components of a virus or hacking attempt: the exploit, and the payload. The exploit is what gets the hacker into the system, either by exploiting a flaw in some program, or tricking the user into clicking on something they shouldn’t. The exploit causes the attacker’s code to run on the system. That code is called the payload.

While exploits have also become increasingly complex over the years, that is in large part because the simple exploits are more well-known and better defended against, meaning that it’s sometimes trickier to find an exploit. However, a determined attacker can usually take advantage of human weakness and get a foot in the door.

What really determines just how bad that foot in the door will be is the payload. If you have gotten a virus (and probably most of you have at least seen a computer with a virus) it usually does something obvious; redirects web pages, demands a ransom for your computer’s files, pop-ups and fake programs, or just generally crash the computer. Suppose that it did nothing, but instead allowed attackers to lurk in your system for over a year, like the Sony hack. It’s no surprise that the attackers were able to steal so much valuable data from Sony when they had access for so long.

A prime example of the sophistication possible in a payload is the Stuxnet worm. The Stuxnet worm was specifically programmed to only attack a certain kind of PLC controller, and only in certain Iranian agencies. These PLC controllers were the exact model used by Iran to control centrifuges used to enrich Uranium for their nuclear program. Stuxnet cycled the centrifuges on and off rapidly, causing many of them to fail, all while reporting that no changes were taking place to prevent operators from noticing the harm.

A more advanced payload means that when hackers do get in, it’s not as easy to notice and they are able to do more damage.

The Growing Complexity of Hardware

Another culprit responsible for aiding attackers over defenders is hardware complexity. Computer hardware is enormously more complex than it used to be, and for the most part that’s a good thing – it gives us our current powerful machines. However, this complexity sometimes leaves a plethora of hiding places for pesky malware, especially if the hardware wasn’t designed transparently or with security in mind.

A great example of the dangers of powerful hardware without security is BadUSB. BadUSB is a piece of software loaded onto a USB thumb drive’s firmware, which allows it to compromise anything that it is plugged in to. The most basic capability it has is to emulate a keyboard, so it can execute nefarious commands on the computer it is plugged into, but it can be much worse than that as it can also infect other vulnerable USB devices, including the USB controller on the computer it is plugged into. If it infects the USB controller, then that controller can also infect anything plugged into it. This is a very sneaky place to hide malware, because even reinstalling your operating system or resetting your device to factory defaults won’t get rid of it. It’s especially bad because there’s no way to defend against it; USB is simply not built to protect against malicious controllers which might write dangerous firmware.

Malware vs. Hardware

Among the software newly discovered by Kaspersky is a program called ‘Grayfish’. Grayfish is a very advanced piece of malware which includes numerous techniques used to hide it including leaving no telltale files, or in the event that is not possible, disguising them with code polymorphism. However, the real evil beauty of Grayfish is in the payload it loads; it is able to copy software to the hard drive controller of several manufacturer’s hard drives. You might not be realize the weight of this, but nothing should be able to create malicious firmware on the hard drive controller. This firmware is what loads data off of the disk, and if the firmware is compromised then anything you read off your hard disk (or write to it) could easily be falsified by the infected controller. This malware is actually even more nefarious and loads a component on boot into the operating system so that it can change anything running on the machine. Kaspersky’s report states “…after infection, the computer is not run by itself anymore: it is GrayFish that runs it step by step, making the necessary changes on the fly.”

It’s hard to blame all this on something a vague as hardware complexity when it’s obvious that so much effort was directed into developing an advanced piece of malware. There are many culprits; hardware complexity is only one. However there are so many places to hide malware in complex, proprietary components of the hardware that it’s difficult to detect them or even find them. There are other well-known vulnerabilities, such as the Intelligent Platform Management Interface (IPMI), with notoriously insecure default configurations and several other weaknesses. Because the IPMI controller is for all practical purposes it’s own independent computer, it’s a very powerful place for an attacker to launch from, and it’s extremely difficult to detect malware hidden there. IPMI is yet another example of a stealthy foothold that an attacker can get.

Until better hardware security – or at least more open firmware becomes an expected feature – increasingly elaborate payloads will continue to evade computer security who often don’t have the tools or resources to find malware tucked in various hardware components.

It’s not a pretty landscape out there, in the net. Expect more hacks and more destructive hacks ahead.