Stealthy malware that can sneak onto machines during the boot process and remain undetected indefinitely is one of the brass rings of security research. There have been a number of tools developed over the years that aimed to accomplish this goal, with Joanna Rutkowska’s Evil Maid attack being perhaps the most famous. Now a developer in Canada has produced a similar tool that impersonates the CHKDSK utility and can grab a user’s password and then exit without the user’s knowledge.
The utility is designed to look like the Windows CHKDSK tool, which looks for errors or problems with a hard disk before a machine boots. CHKDSK will execute if the system detects a logical error and then attempt to fix it, and anyone who’s been a Windows user for more than a year or two definitely has seen the utility pop up.
The Evil Maid CHKDSK utility written by Alex Weber is designed to load from a USB device and will present the user with a screen that looks just like the actual CHKDSK screen, saying that the tool is checking the volume on the C: drive for errors. The tool shows a message saying, “One of your drives needs to be checked for consistency. You must perform this check before rebooting.”
The tool then asks the user to enter his password, which is the hook. The actual CHKDSK utility doesn’t make this request. Once the user enters her password, the fake utility will write the password to the USB drive and then exit. Weber said in an email interview that the tool could be adapted to run on operating systems besides Windows.
“It makes use of standard PC BIOS interrupts and 16-bit real-mode assembly, which is I think supported by every x86/x86-64 PC out there. It doesn’t rely on (or even know about, truthfully) the operating system on the computer, so yes, it could target other operating systems with very little work. It basically comes down to changing the messages that the user sees,” Weber said.
Obviously, the attacker would need physical access to the victim’s machine in order to execute this attack. Weber said that he considers his utility a work in progress.
Security researchers–not to mention attackers and malware authors–have been working on various forms of stealthy, low-level malware such as bootkits for years now. The idea, of course, it to place the malware on the victim’s machine quietly and in such a privileged position on the PC that it will survive reboots and system reinstalls. This gives the attacker control of the machine at its most basic level and the ability to, for example, record user actions.
The Evil Maid attack implemented by Rutkowska in 2009 was designed to defeat the TrueCrypt full-disk encryption program in a manner similar to the one Weber’s utility uses. Booted from a USB drive, Rutkowska’s tool installs a small sniffer that waits for the user to enter his TrueCrypt passphrase, which it then records. The user would not see any indication that the attack had taken place. The tool is named Evil Maid in reference to a malicious hotel maid implementing it against an unsuspecting hotel guest.
Weber said his utility works silently, as well, but after the compromise there is an indication that something has happened.
“There is one very obvious indication of compromise that I haven’t found a solution to – Windows will ask the user to format the drive because the drive won’t contain a (valid) partition table. I don’t know of a way around that, but that’s why the code is on Github 🙂 Perhaps writing a bare-bones partition table to the drive along with the password would prevent that,” Weber said.
“I don’t think it’s a terribly useful tool until that’s resolved, but my main design goal was to only use the MBR [master boot record] – I literally used every single byte available.”