34
6
The reason I am asking this is because I am curious if there can exist a virus in the computer without me ever being able to know it exists. To be more specific, a virus that emits no signs of any sort.
itzjustricky
Posted 2014-10-05T07:48:49.273
Reputation: 419
48
There is a class of malware that can hide itself completely from the operating system known as a rootkit.
Rootkits are used to hide the evidence of other malware at work and are embedded very deeply in the operating system. Because of their deep embedding they are able to manipulate process lists, filesystem tables and other important structures on-the-fly.
By manipulating filesystem structures in memory they can return false or misleading results for directories, specifically not showing files related to the main malware itself. The files are there, and booting into an uninfected operating system such as a Linux LiveCD will show the files though, as they have to be stored somewhere.
Similarly, rootkits can simply drop certain processes from being reported to programs such as the Task Manager. The operating system core knows about them, as it needs to in order to schedule them, it has just been blocked from letting the outside world know about them.
Mokubai
Posted 2014-10-05T07:48:49.273
Reputation: 64 434
16
All normal programs will appear there, but...
svchost process (in most cases), so there's no easy pointint at which service is running under a given svchost instance.There are some programs designed for detecting rootkits. They do so by checking for instance the list of threads programmed for execution and the list of processes in the system (a thread not belonging to any process is a sign of a hidden process), or the list of files seen at high-level, and comparing it with the files it manually reads from the disk partition.
Nonetheless, once you are infected, it is possible for a virus to conceal its presence so good that it's almost impossible to detect. Those are usually termed APTs (advanced persistent threat).
Ángel
Posted 2014-10-05T07:48:49.273
Reputation: 960
2
Some of these points are somewhat invalidated by Sysinternals Process Explorer - limited users can see the file names of processes run by another user, and the tooltips of svchosts list what they're hosting.
– kirb – 2014-10-05T19:37:03.320Did you mean to write "threat" or did you mean "thread"? It actually works there ;) – Konerak – 2014-10-06T06:38:21.257
How does a rootkit detector enumerate the threads or processes? If it's a typical way / WinAPI, can't a rootkit manipulate the enumeration and the rootkit detector won't notice this? – Ray – 2014-10-07T12:23:24.340
1@DebugErr, they look at high-level and low-level, then report the differences (sometimes producing false positives, such as when a file has been changed in-between). By checking the list of threads programmed for execution I was refering to the double-linked list used by the OS scheduler ie. completely low-level: if it's not there, it doesn't get a time-slice (althogh there are more places to check, like the ISR). – Ángel – 2014-10-07T17:18:21.297
5
The operating system has a component known as the kernel. One of the kernel's (many) responsibilities is to manage system memory (both physical and virtual).
As part of doing this, the kernel splits the available memory into two distinct regions known as user mode and kernel mode. The kernel and drivers share the kernel mode memory, and user programs and less critical system components reside in the user mode memory region.
Processes in user mode can not generally communicate with those in kernel mode, except through specially designated and controlled channels.
For completeness it should be mentioned that processes running in user mode are also isolated from each other, but can more freely communicate with each other using facilities provided by the operating system provided that the programs are designed to do so.
The kernel provides the ability to launch processes in user mode. When a process is created it is added to an internal list of processes that currently exist. When a program such as Task Manager asks for a list of processes, it receives a subset of the information in this list, filtered by per user permissions.
One means for malware such as a rootkit to hide its existence is to directly remove itself from this table. Having done this it can still execute, but would no longer appear on a process list obtained by normal means.
Since these processes still actually exist and execute, they could be found by inspection of other kernel data structures, such as handle tables, which hold information about resources a process has open (e.g. files), or by examining memory allocations from which it is more difficult to hide without hindering the software's ability to function.
Kernel Mode drivers used for many things including interacting with physical hardware devices. They execute under the control of the kernel as necessary, but since they are not a user-mode process they do not appear in the table of processes. and hence will not appear in Task Manager, or other tools concerned exclusively with processes.
Being able to run code in kernel mode is an important step to being able to effectively hide the existence of executing code. Under normal circumstances Windows requires that code in kernel mode be signed in order to run, so malware may need to use exploits in the operating system, other software, or even social engineering to get here, but once code is executing in kernel mode, hiding becomes easier.
In summary, it's possible to hide evidence of a processes existence, there's likely always going to be some indication that the process exists, because it will generally always need to use some form of resource in order to do whatever it was designed to, how difficult that detection is depends on the specific malware.
Crippledsmurf
Posted 2014-10-05T07:48:49.273
Reputation: 1 442
3
Viruses are pretty sophisticated nowadays. There can be a virus on your computer but not showing up in Task Manager. It is possible for Task Manager (and other parts of the operating system) to themselves be compromised, thus hiding the virus. For example, a rootkit.
If you're planning on relying on Task Manager to check for viruses, then you should stop now. Install an antivirus, and even an antivirus will sometimes fail to detect a virus on your PC.
Rsya Studios
Posted 2014-10-05T07:48:49.273
Reputation: 3 160
0
There is one more simple way to "hide a virus" apart from others already nicely explained in other answers:
A compromised DLL (dynamically linked library)
A great deal of programs - nearly all of the untrivial ones - need one or more DLLs to run. Some belong to the OS itself (e.g. hal.dll, which abstracts hardware access for Windows), some are used by one program only, which is broken up to more small pieces (one .exe file and more .dll files with core functionality, plugins etc.) You don't get your virus to run all the time like an ordinary process or service, but your virus will be very hard to find indeed, since it will look like a completely innocent program or program component.
Further reading: http://msitpros.com/?p=2012
And there is one thing very appealing about this sort of virus-making: there are tons of websites offering a free (requires no payment) download of dlls which may for this or that reason go missing on your computer. Since the possibility to compare the checksums of the original and the new .dll file is very limited and almost nobody cares, the dll-viruses may enter and stay in the system for a long time unnoticed (unless, off course, an antivirus program detects them and the user agrees with deletion - you see the pattern already).
From the question I take it that we speak of Windows here, but this technique may very well apply to other OSes as well.
Pavel
Posted 2014-10-05T07:48:49.273
Reputation: 324
0
TL;DR: Windows' Task Manager is pretty limited in what it can do, and it *will not ever show every process running on your system. Want proof? Count (roughly) the amount of RAM the processes shown in Task Manager are using, and compare it to the RAM usage of the system; you should have at least 100MB RAM unaccounted for, and sometimes it rises to around 1GB, depending on what you're using the system for. Graphics cards can also take some memory from the RAM along with its own GDDR RAM.*
To expand on Pavel Petman's answer, I might add that many sophisticated cheat engines for games rely on injecting code into game DLLs that enable their cheats.
This type of compromisation is pretty hard to detect, and the same technique can be applied in this question. If, say, a virus wants to go undetected, it can pose as a Windows update of the type that extracts itself to the system directories, the virus could overwrite a critical system file. Most antivirus programs will not detect this type of virus, meaning the virus can go ahead injecting the virus code into the critical Windows DLLs (and also .exes).
When a client of mine tells of unusual behaviour, I always run Process Explorer (download from Microsoft) to detect any virus running. Process Explorer can tell you exactly which processes are running (even the ones that aren't in Task Manager), and also what DLL modules they are using.
AStopher
Posted 2014-10-05T07:48:49.273
Reputation: 2 123
1I'm curious, how do they achieve that feat? It seems like something that Windows should not allow in the first place. I mean, even "show process from all users" are less 'hiding' and more 'categorizing' – Raestloz – 2014-10-06T01:54:26.550
2@Raestloz: They achieve the feat by getting root access and then rewriting Windows to remove the bits that disallow it. I've heard that some of them do this by "booting" into the rootkit as an OS, altering Windows, and then they run Windows, so neither the user nor Windows has any idea that anything is unusual. – Mooing Duck – 2014-10-06T03:14:19.103
3well dang, maybe someone should invent an anti-virus that runs on BIOS lol – Raestloz – 2014-10-06T03:16:47.410
@Raestloz [flippant]*NIX is about as close as you can get to that.[/flippant] – Agi Hammerthief – 2014-10-06T09:04:01.560
@MooingDuck So in theory a harmless(?) Windows Update 'Windows needs to restart your computer to install updates' could potentially be a rootkit wanting to install itself when the computer reboots? – AStopher – 2014-10-06T11:04:40.507
1@zyboxenterprises Real Windows updates are signed and cannot be forged, but you could forge just the restart request dialog, or trick user into restarting in any other way, or force a restart (
shutdown -r -t 0, no privileges required), or just wait until user reboots. – gronostaj – 2014-10-06T11:37:20.217@Raestloz It's not a job for BIOS, but for a OS-independent antivirus: http://www.livecdlist.com/purpose/windows-antivirus
– gronostaj – 2014-10-06T11:39:03.450@gronostaj So the 'Windows Update' part of my answer is invalid? Should I remove that part? – AStopher – 2014-10-06T11:43:11.607
4
@zyboxenterprises Maybe, maybe not ;) Flame exploited Windows Update for its own purposes by forging a certificate, but that vulnerability has already been patched. There are no publicly known WU exploits, but that doesn't mean none exist. The one used by Flame wasn't known before too. (see 0-day attack
– gronostaj – 2014-10-06T11:56:41.187@gronostaj There's always vulnerabilities in every program, and there always will be. It's just a matter of time until someone else finds another WU exploit. – AStopher – 2014-10-06T11:58:29.573