Spectre vs. Rakhni: How the New Variants Can Affect You
When news breaks of a new computer virus, it follows the news cycle of any other piece of gossip or worrisome fact. It breaks headlines, people freak out, a fix is generated, and the news falls to the wayside as life moves forward. But in recent years, we’ve seen something new occurring in the wild – we’re seeing viruses evolving beyond their initial conception, sometimes even adding new features and ways of functioning. Rakhni and Spectre are both examples of this, and it’s no surprise that they’ve made their way into headlines once more in 2018.
The traditional design of a computer virus in the past has been to design with a small footprint so that your virus could have the capability to run on even the slowest of machines, thus increasing the number of potential targets. With the rise of crypto currencies, we now see malware and viruses that use victim’s hardware to mine crypto currencies such as Bitcoin. When mining Bitcoin, the more powerful of a machine you are using, the faster your computer will mine the currency.
Rakhni, the name of the family of ransomware that has evolved into this new hybrid virus, was first discovered in 2013 by Kaspersky Labs. At the time, the virus only ransomed machines, but as crypto currency has evolved and grown over time, so too did Rakhni. The virus is distributed via email as a Microsoft Word file attachment. After opening, the user is prompted to save and enable editing. Within the Word doc is a PDF icon that when clicked launches a script in the background that checks to see if the system is a virtual machine and if it can be infected. If the checks pass, another series of checks are performed to determine if the virus will install ransomware or mining software.
The checks performed are looking specifically for a folder on the system called
%AppData%\Bitcoin. If this folder is present on the system, it will choose to execute the ransomware, as it assumes there’s money in your wallet. If the folder is absent, Rakhni will check the hardware of the system. If it finds at least two logical processors, it will decide to install a coin miner called MinerGate that mines for Monero/Monero Original and Dashcoin. If it finds that the system has only one logical processor, it will opt to spread itself as a worm over the local network to find other systems to infect.
When choosing to encrypt and ransom the system, RSA 1024 is used after Rakhni goes down a list of processes to shut down if found running on the host. When looking to spread across the local network, it runs
net view /all to look for network shares and other users as well. After logging any information it finds, it then references a log file of users and checks to see if their ‘Users’ folder is shared on the network. If it is, Rakhni will copy itself over to
\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup and the process begins anew on the next victim.
Spectre made headlines again with a fourth variant of the vulnerability showing up in May that affects Intel, AMD, ARM, as well as IBM processors. Spectre v1 used a vulnerability with branch misprediction, another flaw in processor architecture. The latest version, v4, exploits speculative store bypass. Normally, a processor reads and writes data instructions to and from memory. The destination in memory is known as the memory address. Because of multiple threads and cores now being used, sometimes two sets of instructions occupy the same memory address. A load-store queue buffer is used to store these instructions until they are called upon.
With speculative store bypass, a processor can take instructions that are out of order and determine if one set of instructions is dependent on any other sets of instructions present in the queue. By making this speculative guess, the processor can execute a set of instructions without knowing the address of the previous set of instructions. If a malicious attacker can load a set of malicious instructions prior to the speculation, the processor will execute them without a safety check because it’s trying to be efficient and prevent latency.
Just like the first version of Spectre, the current version affects hardware performance by disabling this feature in the processor. Patches are coming out in the form of firmware and bios updates for the hardware, and patched web browsers will cover things on the software side. There are also operating system patches available that should be applied as well. The unfortunate side of these vulnerabilities is that hardware performance takes a noticeable hit.
We've written a few blog posts about Spectre and how to tackle the vulnerability:
- Spectre variant 1 detection and remediation using static code analysis (Perforce Software)
- Meltdown and Spectre: How they work and how to patch
The following are external resources that give a deeper dive into the technicalities of both vulnerabilities:
- New Rakhni variant could infect systems with either a ransomware or a miner
- Updated Rakhni malware strain can be ransomware or a cryptominer
- Speculative Store Bypass explained: what it is, how it works
- Speculative Buffer Overflows: Attacks and Defenses
- Project Zero page for Spectre v4
- New Virus Decides If Your Computer Good for Mining or Ransomware