7

How can I know that a network card in a server was infected by a virus or not? Are there any methods to check it?

gasko peter
  • 843
  • 1
  • 12
  • 20
  • What NIC are we talking about? There are very, very few where this is possible. For those, the answer is NIC-specific. (For example, most don't have storage that persists across a power loss, so cut the power and you're safe.) – David Schwartz Jun 06 '12 at 11:14
  • @DavidSchwartz, are you saying that most NIC cards do not have any firmware that is stored in updateable non-volatile memory? (e.g., flash, EEPROM, etc.) – D.W. Jun 06 '12 at 16:24
  • 3
    @DavidSchwartz Most network cards and other discrete components have reflashable firmware. – Gilles 'SO- stop being evil' Jun 06 '12 at 17:44

4 Answers4

8

While it's theoretically possible to insert malicious code into flash memory on peripheral equipment like network cards, it's more likely to see the use of videocard GPU systems to do rainbow table cracks for special purpose hackware, etc.

Specialized programming is needed that would be nation-state level targeted attack fodder. Peripheral equipment malware would take special knowledge and techniques that would allow the device to operate normally without crashing while filtering traffic.

If a theoretical hack was ever done to a network card, the only way you would ever detect it would be by analysis of the traffic coming in and out of it. Your standard anti-malware wouldn't have a clue.

It's more likely that this kind of attack would be done against routers and printers. They already have CPUs with plenty of left over clock cycles and flash memory storage that will easily hold a few minor mods. Our local College had an HP that had a humorous "Insert Nickel to Print" message left by one of the Electronics Majors.

Fiasco Labs
  • 1,557
  • 10
  • 12
  • 3
    Even if the network card isn't the primary target (and it may be; that would be a good place to send spam), it can be the infection vector. An example (discovered in the lab, not in the wild): [CVE-2010-0104](http://www.kb.cert.org/vuls/id/512705) ([short summary](http://security.stackexchange.com/questions/5505/viruses-on-video-cards/5510#5510)). – Gilles 'SO- stop being evil' Jun 06 '12 at 17:43
  • 3
    Noted over on Heise Security 07/30/2012: _At the Black Hat hacker conference, Australian security expert Loukas K (aka Snare) has demonstrated a rootkit which is able to insert itself into a Macbook Air's EFI firmware and bypass the FileVault hard drive encryption system._ We'll have to see how far this goes... – Fiasco Labs Jul 30 '12 at 15:01
  • Just noting that someone with access to the original softwares source code or working in the field may be able to create malware without needing the resources of a nation-state. Although compatibility with every hardware may be a problem. – HopefullyHelpful Oct 17 '16 at 15:04
2

Very few viruses will infect the network card on your server. Viruses typically infect your OS or other application software. Therefore, for most purposes you don't need to worry about viruses in your network card. If you're worried about viruses, take standard steps to harden your server; search the archives for server hardening for instructions (this will be OS-dependent).

It may be possible for viruses to replace the firmware on your network card with a malicious version. That'd be very bad, because then it wouldn't be detected by ordinary anti-virus software. However, this would require a very sophisticated attack, and I don't think I can recall ever seeing this strategy used in the wild. Therefore, most people won't need to worry about this.

And remember, the best defense against viruses is: don't get infected in the first place. Keep your software up to date, use firewalls, don't run vulnerable software, etc.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • Would you like to comment on whether it's probable that a NIC could be infected (presuming it was clean when first installed, and no malicious insider activity) without first having an OS infection? – Iszi Jun 06 '12 at 12:37
  • I'd guess that infecting the NIC firmware probably requires first getting Administrator or root level privileges. However, that does not require infecting the OS or installing any lasting malware into the OS. – D.W. Jun 06 '12 at 16:23
  • Perhaps you don't need to install lasting malware on the OS, but such activity as you describe would still have to pass the sniff-test of the OS-level Antivirus. – Iszi Jun 06 '12 at 16:41
  • 3
    There are very few viruses against network cards in the wild. But it is certainly possible to write one, and administrator access to the OS is not the only possible way in. Network cards parse packets, hence they have buffers that may overflow. How about [CVE-2010-0104](http://www.kb.cert.org/vuls/id/512705) ([short summary](http://security.stackexchange.com/questions/5505/viruses-on-video-cards/5510#5510)), which not only doesn't require any OS-level access (the card is the point of entry for the attacker), but doesn't even require the computer to be switched on? – Gilles 'SO- stop being evil' Jun 06 '12 at 17:41
  • @IsziRoryorIsznti, sounds like you have more confidence in antivirus software than I do. I think there's plenty of evidence that an sophisticated attacker can build a root-level privilege-escalation exploit that won't be detected by antivirus software. – D.W. Jun 06 '12 at 17:52
  • @Gilles, good point! Perhaps the better answer is to say: the easiest attacks might require getting ring-0 (root/Administrator/superuser) level privileges, but there may also be attacks don't require ring-0 privileges or can even be carried out remotely. All of these are *possible*. – D.W. Jun 06 '12 at 17:53
  • 1
    Well, I didn't mean to say that fooling or bypassing antivirus was *impossible* - just that antivirus, OS- and software-level patching, and the principle of least privilege, seem to be your only real defenses against this sort of attack. You could maybe add a HIDS, but those can suck up system resources and are really not much more reliable than AV. There's nothing you can do *on the NIC* that will help defend against or detect these attacks. – Iszi Jun 06 '12 at 18:32
1

I know this is an oldish question but since the last post, This has been done to a bunch of nic's. The most popular are mobile broadband or 4g lte nic's. I attended Def con this year 23, and was surprised at how easy and fast an attack could occur on nic cards firmware. it was very easy for them to gain elevated control of a pc once the new firmware was on the network interface card.

the video of that talk can be found on youtube, however I do not know the name of said talk so a little digging is required.

Mat Holzschuh
  • 11
  • 1
1

I will state the caveat that you will never know if X is infected, but only have a good idea.

As I see it, there are 3 areas that could be exploited on a network card.

  1. The Driver of the OS (but this is not part of this question)
  2. Network Card Firmware
  3. In Memory

Having something existing in memory would be unlikely as cost vs effort would be high for an attacker. A reboot would clear the virus and network cards and ntypically don't contain large amounts of memory to house a virus. Using the network card as an entry to the firmware would be far more likely.

So the remaining piece is to check the firmeware. I'll use intel's support as an example it was quickest to find. https://www-ssl.intel.com/content/www/us/en/support/software/manageability-products/000005790.html

  1. Prepare BootUtil for your system (download and have administrative rights)
  2. Run: bootutil -nic=XX -saveimage -file=C:\Temp\MyCurrentNIC.bin
  3. Create a (SHA1/SHA256) Hash of the saved file
  4. Repeat the process on another NIC of same type/firmware version or download the firmware from the website
  5. Create a (SHA1/SHA256) Hash of the "known" good file
  6. Check for a match
  7. (Optional) Submit your captured firmware to manufacturer for security analysis

The easier way around this is to use a NIDS/Wireshark to look for known bad packets to known signatures using a resource such as http://www.netresec.com/?page=PcapFiles. This will tell you the source IP of the machine/device that is infected typically traditional measures will allow for virus removal without resorting to firmware checking.

DarkSheep
  • 333
  • 2
  • 13