New virus attacks AMD processors
By
Tom Sanders
29 August 2006 09:59AM
Tags:
virus | attacks | amd | processors
Proof of concept code shows advanced attack vector.
Security researchers at Symantec have discovered a new proof of concept virus that targets processors rather than operating systems.
The worm comes in two versions, targeting 32-bit and 64-bit processors from AMD. Symantec refers to the online pests as w32.bounds and w64.bounds. Because it involves proof of concept code, both viruses are rated as low level threats.
Although at this point it concerns harmless proof of concept code, the virus could be used as a starting point to create malware that affects computers with disparate operating systems, cautioned Vincent Weafer, senior director of Symantec's Security Response Group.
"If I can get to the processor level, potentially I can really start tying myself into the core hardware. I can potentially evade some of the kernel protection and user protection. There is an attraction to virus writers to get to the lowest level possible," Weafer told vnunet.com.
"Once it runs, I've got pretty low level access to that system and I could do pretty well anything that I would want to do."
But there is a big down side because different processors speak what could be seen as different Operating Code (opcode) languages.
"Typically, going down to the opcode level in not effective, because there are too many variants out there and you end up working on not too many machines," said Weafer.
The logical next step would therefore be to combine the 32-bit and 64-bit versions of the malware to create a single virus that can target both chip families. Weafer added that this is easier to do for AMD processors than for 32- and 64-bit Intel chips because the two AMD families are more similar than the Intel ones.
Symantec found the code in an online meeting place for virus writers, such as underground websites and IRC chat channels.
"The author's intent is really proof of concept, to show that his virus can work and be difficult to detect across multiple processor families. He's showing his technical competence. But you would not use this technique if you wanted to get a pandemic. You would not use this technique unless it was for a very targeted attack or an academic attack."
The w32.bounds and w64.bounds viruses infect systems by tying themselves to Windows executable files, which disqualifies them as so-called chip level threats. They do however employ elements of such attacks by showing an ability to executive chip level assembly code.
The last large scale outbreak of a chip level threat dates back to 1998. The CIH/Chernobyl then embedded itself into the flash-BIOS of several million computers and on the 13th anniversary of the nuclear disaster in the city destroyed all data. Chernobyl originated in South Korea, where it was estimated to cause US$250m in damages.
Chip level threats are rare today. Viruses targeting operating systems are easier to design and the market dominance of the Windows operating system provides virus writers with rich hunting grounds.
Copyright © 2008 vnunet.com