Of Death Gods and Dirty Cows

Computer security researchers discover new forms of malware every day. Being one of the most popular Operating Systems, Microsoft Windows often faces these attacks’ brunt as it is also one of the most vulnerable operating systems. While a common misconception is that Linux or other Unix based systems are unhackable, Rule 0 of computing says that if there exists a software, it has flaws. Flaws can always be exploited, no exceptions.

 

The primary reason people believe in this misconception is that Windows owns a good majority of the market share, hence making them better targets. This is not wholly false, as most of the malware written is to exploit loopholes in Windows. If a scammer or a hacker accustoms oneself to Windows, they already have a decent chance of catching a gullible user. Scammers often use the long list of processes Windows has to intimidate a user and extort money from them.

 

This malware (meant for Windows) usually doesn’t run on Linux environments, making it safer. But, this doesn’t make the Linux based systems invincible. Malware can be written keeping Linux systems in mind. Interestingly, high-value systems, like defense and research run on Linux based kernels, thus providing a more lucrative target. To counter, Linux also has its upped its safety game, with developers all over the world regularly stripping away potential vulnerabilities. 

Again, this doesn’t mean Linux is entirely immune to problems. Even a basic piece of code, like the fork() function in C (which instructs the OS to create a new process) can be written to destroy a Linux kernel. If we spam this for a sufficiently large number of instances, we can hog all the CPU resources forcing the user to restart. Right? Not so fast! The Linux file system has its user privileges on guard (or en garde if you prefer French), with root or “superuser” access taken away from all programs, and locked away with a password. When the code above is run with sudo (the Linux command requesting root access) then, and only then, can it bring the system down. This privilege escalation is vital to gain access to a system. Everyday users don’t see much of this command unless they need to update software keeping Linux’ security system intact. Dangerous programs requiring root access don’t usually get it unless the user explicitly grants them. 

 

In Windows, most of the programs have administrator access, including access to the kernel, registry, and other internal components. This open-access gives rise to the ransomware threat that occurs when a system’s files are encrypted by a hacker and held “hostage”. The hackers now blackmail the user into paying a large sum of money (a “ransom”) to decrypt the files. The wannacry ransomware took the world by storm a few years ago, and many other ransomware threats have emerged since then. 

 

Ryuk ransomware is one of the most advanced big-game hunters of vulnerable Windows systems. It is often used to target enterprise-level organizations. Interestingly enough, the malware is named after its namesake from the anime, Death Note. Fun facts aside, Ryuk has fetched its creators over 700 BTC (more than $8 million) across 50+ transactions. The attack begins by entering a network with a weak password, escalating privileges, and encrypting the network’s files. Ryuk takes care not to encrypt some data, which includes browser files and basic OS files. This gives the victim just about enough room to pay the ransom. Rather strange behaviour of Ryuk (a Windows malware) was that it could encrypt even the Unix/Linux based files (*NIX files). This was because of the rising popularity of the Windows Subsystem for Linux, which allows a Windows user to enjoy a Linux kernel without switching OSs. However, luckily for Linux users, the creators of Ryuk whitelisted these files to avoid complications that arise when trying to decrypt these *NIX files.

On the other hand, Windows’ counterpart, Linux, despite its security, has had a fair bit of vulnerabilities. The difference, however, lies in the patching of these problems where Linux is up ahead. Owing to its open-sourced nature, finding and analyzing any flaws present is much easier in Linux than the proprietary Windows software. While this means the good guys can tinker away and fix problems quickly, the bad guys have easy access to the code and can find possible flaws too.

 

Speaking of bad guys, Dirty COW has been a vulnerability in the Linux kernel since 2007, which was discovered in 2016 and patched in 2017. It was found in the wild by Phil Oester, meaning that it could already have been used for exploitation by the time of discovery. COW is short for copy-on-write, and this means that the kernel does not create a copy of a file a process wants unless it is being written to immediately. This helps in resource sharing and saves up on computational power when a file is copied but not modified. The Dirty COW vulnerability employs two racing threads. The first thread is for writing, where we try to write something to a private copy of a read-only file. The other thread is for chucking away the private copy, with the command madvise(MADV_DONTNEED). This opens up a small window of opportunity, where the kernel throws away the private copy, but also has to write to a file. It chooses to write to the read-only, as it is the only option, and the sub-programs in charge don’t dare disobey a command from the kernel. This is privilege escalation, as an ordinary non-root file can perform root tasks by modifying read-only files, as it tricks the all-powerful kernel. The Dirty COW exploit, however, requires the attacker to run arbitrary code on your system to be successful and this can stave off some of its worst effects. However, it serves as incontrovertible evidence that just being open source doesn’t make an operating system immune.

OpenBSD, a security-focused Unix variant, employs privilege separation to reduce the risk of privilege escalation by an attacking program. While it is mainly an OS meant for research and networking purposes, some of its spin-offs have found their way into other projects. For instance, Android uses the C standard library from it, while Windows 10 uses its secure shell. Historically, the website of the OS carried the flex “Five years without a remote hole in the default install!”, then “One remote hole in the default install, in nearly six years!” and currently “Only two remote holes in the default install, in a heck of a long time!” which has stayed since 2007. It is well-deserving of the claim, despite controversies that surround it. Both the vulnerabilities identified in OpenBSD were related to remote access to the root account.

 

As observed, most malware problems are caused by the carelessness of the end-user rather than having a terrible OS. Clicking on unsafe links can install malicious software that can compromise the system. Remote access to a system and privilege escalation by an attacker can hand over the system’s control to a person sitting in a far corner of the world. Much like another virus we have become all too familiar with, this allows our computer virus to spread globally. Careful browsing can go a long way in ensuring system security. Annoying as they are, Windows updates bring in security patches, as do the discrete Linux system patches. Staying up to date is the one of the easiest and most effective ways to keep yourself safe from threats to your computer.

 

References:

  1. https://en.wikipedia.org/wiki/OpenBSD
  2. https://chao-tic.github.io/blog/2017/05/24/dirty-cow
  3. https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/

Market Share image: https://venturebeat.com/wp-content/uploads/2019/09/os-market-share-august-2019.png?resize=1024%2C677&strip=all

About the Author

Articles

Leave a Comment

Your email address will not be published. Required fields are marked *