Malware writers have worked out ways of hiding trojan horses in places where viruses checkers can’t look, according to one security researcher.
Patrick Stewin has demonstrated a a detector which can be built to find sophisticated malware that runs on dedicated devices and attacks direct memory access (DMA).
This will mean that it will finally tell us how effective crackers have been at getting malware into graphics and network cards.
The code has managed to find attacks launched by the malware, dubbed DAGGER, which targeted host runtime memory using DMA provided to hardware devices.
DAGGER attacked 32bit and 64bit Windows and Linux systems and could bypass memory address randomisation. It has now been developed to a point where the host cannot detect its presence, Stewin said.
Stewin said that DMA attacks could be launched from peripherals and are capable of compromising the host without exploiting vulnerabilities present in the operating system running on the host.
Stewin’s research was to develop a reliable detector for DMA malware and he thinks he has managed to do it.
According to SC magazine, the code used a runtime monitor dubbed BARM. BARM modelled and compared expected memory bus activity to the resulting activity.
Stewin said the detector would not significantly drain computer power.
His code will be shown off in a research paper with the catchy title “A Primitive for Revealing Stealthy Peripheral-based Attacks on the Computing Platform’s Main Memory”, which will be presented at the 16th International Symposium on Research in Attacks, Intrusions and Defences in October in Saint Lucia.