When Hacked PCs Self-Destruct 418
An anonymous reader writes "From The Washington Post's Security Fix blog comes a tale that should make any Windows home user or system admin cringe. It seems the latest version of the Zeus Trojan ships with a command that will tell all infected systems to self-destruct. From the piece: 'Most security experts will tell you that while this so-called "nuclear option" is an available feature in some malware, it is hardly ever used. Disabling infected systems is counterproductive for attackers, who generally focus on hoovering as much personal and financial data as they can from the PCs they control. But try telling that to Roman Hüssy, a 21-year-old Swiss information technology expert, who last month witnessed a collection of more than 100,000 hacked Microsoft Windows systems tearing themselves apart at the command of their cyber criminal overlords.'"
Is physical destruction even possible? (Score:5, Interesting)
Could you screw with the voltage and thermal thresholds to cause a system to literally self destruct?
Re:Is physical destruction even possible? (Score:3, Interesting)
Rumor has it that old Athlons built before hardware thermal throttling could catch fire and burn down your PC. But I've never seen any proof of this.
A blessing in disguise? (Score:3, Interesting)
All it does is mess up the OS - the hardware is fine, hardly a 'nuclear option' or 'self-destruct'.
In fact it could prompt someone to install Linux afterwards
Re:Hardly self-destruct (Score:5, Interesting)
It is far worse.
A friend, just last night, showed me his highly-infected laptop (please, being serious here). Not only did he have one of those "Infect the "customer", then sell them a fake cure" scams, but he had what appeared to be an everyday Trojan, with one huge difference.
It had created a hidden partition (I deduced this from HD size discrepency between reported size and actual), copied over enough "Windows" to run as a separate OS, then nuked his normal partition OS. When he reformatted, he wasn't paying attention (didn't know any better) and didn't delete that partition. The trojan was essentially maintained, right through a reformat (albeit, an incomplete one). It was an easy mistake to make considering how many Dell/Compaq built machines come with a separate 10-20GB partition that isn't always deleted on reformat, and for that reason the numbers for HD partition space don't always add up.
Here is where the sneaky part comes in. They nuked his OS, right?
NOW, after he thinks everything is groovy, he starts reinstalling applications, re-entering information and passwords and re-bookmarking sites. All while the trojan watches.
THAT is what the "nuclear winter" is for in these cases, to lull the user into a false sense of security.
Re:Hardly self-destruct (Score:4, Interesting)
Remember, this was before iPods, etc when pretty much everything took 2 AA batteries covered by nothing but a simple plastic knob.
Re:*Real* self-destruct (Score:4, Interesting)
The Commodore PET was one box with integrated monitor and processor, and the monitor focus could be adjusted in software. It was possible to reduce the scan of the CRT to just the centre of the monitor, which (I am told) burnt a dead area in the middle of the monitor fairly quickly.
Wouldn't meet the "useless" measure, but would be very annoying and permanent physical damage. (You could probably mess up the disk head alignment pretty badly too, but that can be fixed.)
Re:Is physical destruction even possible? (Score:1, Interesting)
Sure, just use an HCF [wikipedia.org] instruction.
Re:Hardly self-destruct (Score:4, Interesting)
If he reformatted his C: and installed a fresh windows on there, how were files from the windows install on the hidden D: being launched by the trojan? Especially if you launch an install from a bootable device such as a CD, I don't quite see how the hidden install on the second drive would be able to interfere with the reinstall or operation of the fresh install?
Re:As they always say ... Fdisk from orbit (Score:3, Interesting)
To be a bit more serious what I mean by "from orbit" is run everything from some sort of media that the malware never had a chance of touching - preferably a completely different OS on read only media. Then the partitions go and the new ones get formatted before use etc etc.
I remember when a lot of laptops (and a couple of PCs) did exactly this via OS in ROMs. Nice clean boot up every time, with no viruses or other idiocy. Perhaps PCs should consider making a move back to this again?
With the advent of flash media, it's entirely possible as well that you could load the "OS" on a special card and it be non-writable(thinking physical tab/button similar to 3.5" floppies). This way you could manually lock down your root directory, say, in Linux, and nothing short of an act of God would allow a hacker to gain access to it or change it, even IF they gained the correct permissions somehow.
Also, what shocks me is the move in Windows 7 away from simpler methods. It was a great chance for Microsoft to streamline and get some real security into their OS. That is, in many older computers, you could literally yank the offending OS folder entirely and restore it with a clean copy and all of your data and programs would remain untouched. No registry or other idiocy like hidden files and processes that don't show up even when you run the built in applications to check on the machine's status. Many older OSs merely required a simple file replacement and reboot. Yes, they were largely simpler as well, but that's not an entirely bad thing.
Re:Hardly self-destruct (Score:2, Interesting)
Sorry, but the trojan CANNOT create a hidden partition.
To do this, it must have to defragment the files (by moving the last files to the beginning of the disk), then when all the space is free create a partition.
What might have happen instead is that the partition was a backup, provided by the vendor (I know, I have a HP laptop, with a 7Gb partition to allow fast reinstallation.
The trojan may have infected this partition, and since I guess the dumb user reinstalled his system from the backup (which is the main purpose), he got infected again.
Re:All Versions of Windows affected (Score:5, Interesting)
Any machine today can self-destruct given the right circumstances.
The problem lies in the fact that all computers have a flash bios that usually isn't write protected in hardware.
And hard disks have their firmware in flash, which also can result in "interesting" permanent crashes.
So if a hacker wanted to give a certain operating system bad credit all that's needed is to prepare a huge botnet and then blow the machines.
Counter-productive - yes, but don't expect the internet to be free of vandals. We have vandal-protected ATM:s and a lot of things are suffering from vandalism even though there is no reason, so why not your machine?
Re:Is physical destruction even possible? (Score:3, Interesting)
That was the 1st-gen Athlons, i.e. the Thunderbird class. The thermal sensor couldn't handle rapid increases in temperature (I think the limit was one degree C per five seconds or something like that) so if the heatsink failed or you forgot to put thermal compound on there...
What you got was a puff of smoke, and a dead CPU and motherboard (more specifically the CPU socket usually melted, and the core voltage regulators cooked). Still a bit of an expensive cockup though; this was in the days where a Tbird would cost around $200, plus another $160 to $300 for the motherboard.
Re:*Real* self-destruct (Score:3, Interesting)
I've said for years - viruses are boring nowadays. There's so much *potential* for a really well-written, modular virus to wreak worldwide havoc but nobody's done it. Imagine a virus that inspects local hardware/software and downloads a set of hashed filenames for that data, each of which attacks that specific element of the computer and is updated regularly. E.g. it spots that you have a processor with an old errata bug, downloads the module for it (anonymous P2P) and uses that to gain admin privileges, or it sees a new update to McAffee and the download requests for that hash spark the original author (or a random strangers) interest and they write a new module to counteract whatever workaround has been put in place which *all* machines instantly start benefitting from.
In terms of permanent hardware damage:
Overwriting the HPA's on the disk drive? That could cause some fun.
Bad flash (hard to do with BIOS, and BIOS options to prevent it) - anything with firmware on basically - e.g. RAID cards, USB devices, even network routers!
Using weaknesses in hardware configurations (e.g. the IBM Thinkpad's that could be bricked by a perfectly valid, but unexpected, I2C write to one of their EEPROM chips - beyond non-IBM repair, I might add). Writing infinitely to Flash drives (would you notice a small process that starts 10 secs after you insert a USB drive and just reads and rewrites every block of data for ever?) or SSD's. Even Ubuntu nearly trashed people's drives by accident by repeatedly spinning them down and back up and making the SMART data go through the roof.
Using weaknesses in hardware *control* (e.g. overclocking everything, temperature monitoring, fan control, etc. but it's harder to damage a chip permanently nowadays because they are designed to slowdown/shutoff under extreme conditions - you'd almost certainly be able to cause an extreme nuisance, though).
Possibly (although this is *unlikely*) trying to do things like create power surges on the buses by repeatedly activating and shutting down hardware with various timings while watching the voltages on the lines, to see if you can cause an overload. I think that spinning disks/CD's + spinning fans + various heavy-duty CPU/GPU work etc. might well be able to take out some of the cheaper power supplies in a lot of machines.
Even things like setting the BIOS to boot from PXE first, then ZIP, then floppy, then CDROM would be enough to flummox 99% of users who would think that their machine had broken because it doesn't get into Windows, etc.
The most interesting concept to me would be to take out other hardware - maybe flash a printer with all 1's, or re-flash the local ADSL router or similar. So much stuff has firmware nowadays that it shouldn't be too difficult to wreak some havoc with just a big database of MAC's/ports/firmware specifications for some of the more popular types. Imagine a virus that (on discovering attempts to remove it) not only takes out your computer, but bad-flashes your printers, network hardware and iPod first! That'd make you think twice about automated anti-virus software or manual cleanup instead of just "reformat, reinstall".
Re:Remember... (Score:5, Interesting)
I told the phone company all about the dialer and that I knew it was my teenage son clicking porn links, their response was basically sorry but have already paid the $300 to the Russian telco who has already paid it to the 1900 number, if you don't pay us the $300 we will not only cut you off but will alert other vendors to your unpaid bills. I told them to go ask the Russians for their money back due to obvious and traceable fraud, they cut me off, I paid, we kissed and made up.
Re:Hardly self-destruct (Score:5, Interesting)
Actually, by "normal use of a computer" your computer can indeed cause serious damage to other computers, or to property. That's what TFA is all about.
Let's look at "normal use of a computer." And by "normal" I don't mean "geek normal", I mean "Joe Sixpack normal".
Joe Sixpack goes to Best Buy and buys a computer. He doesn't spend the $50 for the anti-virus software ($50 a year? The hell I will!) or $50 for a firewall (I already pay the cable company for this blue box just like it), and he dismisses every single warning, checking the "don't show me this again" box because he didn't understand it the first time. And then he surfs to the porn sites. So what we'd consider reckless behavior is pretty much "normal use of a computer".
There are no cops to give him a ticket for surfing on unsafe equipment, because it's not illegal. Nobody's going to protect him because he's not willing to pay extra for anti-virus. And we all know that his machine is going to be turned into a zombie within 15 minutes of connecting to the internet without a firewall.
As far as the damage goes, his zombied computer may attack and infect others. The direct costs to Joe Sixpack may include PC troubleshooting and repair, loss of data, and dealing with the theft and abuse of personal banking information. Banks are held liable to cover any fraud losses that result, and they collectively spend billions annually. And for secondary effects, we know there have been suicides due to lost money and also due to computer harassment. I don't think you can simply say that a computer can't "hurt" anybody.
( And this isn't about assigning blame. There's plenty of that: Joe Sixpack may be as irresponsible as they come, and dumber than average. The malware writers are common thieves. Some operating system vendors sell Swiss cheese. And every vendor in the process is happy to take Joe's money without regard to the consequences to him. )
If cars were as unregulated as computers, very few of us would safely return home on a daily basis.
Re:Remember... (Score:5, Interesting)
Thanks for that. The guy in the picture in that article looks just like the "Desktop Support Coordinator" at the University I used to work for.
I like the part where it says "Instead of blowing up a single plane, these groups will be able to patch into the central computer of a large airline and blow up hundreds of planes at once!" [emphasis mine]
Anyway, the "desktop support coordinator" actually told me once that when I unplug my laptop from ethernet at night I should do so at the wall instead of at the laptop (leaving the cable plugged into the wall) because it (I swear this is true) "wastes bandwidth".
I wanted to ask him if that was because all the bits would run out of the unplugged end of the cable and onto the floor but I just couldn't do it because he had such an earnest and absolutely convinced look on his face. At the time I was just a lecturer and I'm sure he was making twice my salary (this was before the Univ. figured out that they could just pay work-study students 6 bucks an hour to do desktop support (but after they'd figured out they could pay post-docs 7 bucks an hour to teach undergrads).
Re:Hardly self-destruct (Score:3, Interesting)
I understand the anti-Microsoft sentiment. Being in IT and software development I tend to share a lot of it... but if you're going to spread hate, try to make sure your facts/analogies are in the ballpark of being accurate
Windows comes complete with door locks and windows, its the $1000 Bose surround sounds with bluetooth link and iPod dock that you pay extra for. Not to mention Microsoft hasn't even come close to releasing a version of Windows requiring a yearly subscription. Sure they talked about it, but the reaction from the community was enough to stem that tide.
I don't know about you, but I don't have to break any laws or void any warranties to get into MMC or the registry or the hardware manager. This part of your analogy seems to be aimed that the idea that windows is closed source but its completely flawed. A better analogy would be that its really freaking hard [reactos.org] to cast all your own parts to build an engine from scratch... which is true.
Kill switch that other drivers control? I don't even understand this. Unless your talking about domain controllers having the ability to forcibly shutdown or restart an AD attached computer... but then your analogy would be like to stupid go carts which the pissy little 16yr old attendants turn a rev limiter on just because you bumped your friend a bit...
15 manufacturers to get a basic car? If opera and mozilla have their way that might have some semblance of truth, but the base windows install (excluding drivers) is all Microsoft. Most cars have after marked parts from dozens of companies, why shouldn't an operating system? If you want to bitch about mismatched software and wedged in modules go take a look at a linux depot.
You have a point about the whole driving legally thing, but when a company can argue that ~30% of China doesn't use a valid copy of their product, I think they get some leeway.
When was the last time your local car shop issued a recall on your car? What? Never? You mean its the manufacturer that discovers and fixes all those problems? Oh man... what a shock. I guess that's the state of closed engineering these days...
P.S. You only have mandatory product activation if you buy a retail version of the software and install it yourself, OEM comes pre-activated. In a way, that product activation is like you getting the title to your car. If you buy from a dealership, they do all the paperwork and everything comes to you automatically in the mail. If you build your own car or buy it used, you have to fill out a few forms and get them notarized and approved before you're technically allowed to drive it legally. Again, when their software is pirated so much, they do have the right to try to protect it. That isn't greed, that is intelligent business.
Re:Remember... (Score:3, Interesting)
This assumes of course that the victim will make the leap in logic that it was malware that did it and not bad hardware, or a mistake on their part. Those who get infected in the first place are far less likely to know enough to make the connection. Therefore, it probably would buy some time. Whether the time is worth the cost of losing a zombie is another story though...
Re:As they always say ... Fdisk from orbit (Score:3, Interesting)