Search This Blog

Monday, November 24, 2008

Pointsec Virus Protector

Following my previous concept on how a rootkit can be protected on the HDD of a laptop, this idea can be extended thanks to another product call Pointsec Protector:
http://www.checkpoint.com/products/datasecurity/protector/

Basically, this encrypts your USB / External flashdrive, HDD etc. Which in this article, I will conceptional talk about how this can be used to protect the virus in transit. 

Imagine a virus extension of the rootkit. It can be transmitted onto an external device. So we have some USB flashdrive, which in this case is protected by the Pontsec Protector. So the virus is injected on the flashdrive. Now typically, we should be able to scan the USB flashdrive in a clean environment such as Linux, but because its protected by Pointsec Protector, this is not an option here.

So, how about when it get plug into another Windows system? Well, if that windows system does not have the Pointsec Protector software, the virus is safely protected inside. Well, in the case it is. Then doesn't the host based antivirus picks it up immediately and wipe out our virus? It depends. There can be several ways to go about it. One way is to inject itself immediately into the Pointsec address space. That makes it hard to kill and most likely the antivirus will have to take the Pointsec down with it. Then it still leaves our virus intact in the USB flashdrive. However, this technique is not easy at all. Another way is to inject the rootkit immediately so that while the antivirus spends it time cleaning the virus (if it doesn't block it first), we 0wnz the system first hiding its trace. 

As you can see, the encryption here provides it a mechanism to transport the virus straight to the target. The only defend left is the target host based anti-malware. I suppose modern day malware has easily overcome this problem. In the case where the malware does not detect the virus at all, then its game over for the system. However, if in the first scenario is possible, then a virus which is able to target the encryption mechanism, it will provide a more foolproof entry into the system or at least it will disrupt the anti-malware's attempt to clean up the virus. No decryption, no cleaning. 

Conceptional, I believe this is possible. And the impact can be much more serious than to rootkit a hypervisor because of the vector of attack. 

No comments:

Amazon Gift Cards!

Thanks for viewing!

Copyright © 2008 nemesisv.blogspot.com, All rights reserved.