Malware for the cloud

08 Oct 2011

One direction computing is moving in is to have all your applications hosted in the cloud, wherein all your applications are just web-pages, so you interact with your computer solely through your browser. This is the goal of ChromeOS. Kindle Fire and the Apple iPad are moving us in this direction. I believe apps you run on those systems are largely a fad. Most of these apps require internet connectivity, and if that is the case, than why not just have the "app" be a web page? I'm digressing.

As we move closer to this reality of our applications all being accessible through our browser, I believe we will likely see malware that persists itself in the cloud in the way described by Greg Hoglund in his article Malware Persistence in the Cloud and my response Cloud computing: Malware persistence with thin clients.

I believe malware will live entirely within the browser. You visit a site, or you open a PDF from a link and Adobe’s plugin runs within your browser, and then an exploit gets tripped and some malicious code is running within the confines of your browser process’s memory. This happens all the time nowadays except that malicious code immediately download an executable to your system and executes it. What if that didn’t happen? What if the malware lived entirely within your browser memory for the duration of that process and no longer?

Your antivirus software would not detect it, because it has no files on disk to scan. Your PSP hooks functions to look for malicious activities. It looks for files being written to System32 and CreateProcess calls. It could work generically and just look for any process that is doing something weird (editing the Windows hosts file), or it could be smarter and maintain some knowledge about what a process normally does and identify if it does anything outside it’s normal execution (writes registry keys or files to new weird places). How would it detect something running entirely within the browser? This malware would read all the memory in the process, looking for username/passwords, credit card numbers, etc. and send those to some home server. Reading memory in your own process is normal. A browser process making network calls, especially HTTP POST calls is normal. Your PSP is going to have a very hard time detecting this.

This was one of the thoughts behind OpenHIPS. OpenHIPS, even if it were completed, isn’t the greatest solution against malware today. OpenHIPS scans memory of a process looking for exploit code, but it just does this repeatedly. It’d be better for it to only scan memory at important times like when a CreateProcess call is made, but then why not just look at the arguments to that call to alert the user, or simply identify that a certain process (like a browser) should never call CreateProcess ever. If you download and want to execute something, do it through Explorer, not the browser. Well, one of the thoughts was that OpenHIPS could better identify exactly what exploit was used in this attack. Most PSP’s will identify what malware was downloaded and attempted to execute, but that is only one part of that attack. Maybe you can identify what site was malicious, but I wanted to also easily identify what malicious thing is was doing (what the exploit or shellcode was).

Anyway, it may be beneficial to complete OpenHIPS for the purpose of identifying this new malware I am imagining that would exists solely within the browser. One of the first authors to describe the benefits of never touching disk from the attackers perspective is “the grugq” in his phrack article “FIST! FIST! FIST! Its all in the wrist: Remote Exec” in 2004.