Few years ago, heard that 64 bit version of windows is more secure. Expert was told, 64-bit operating systems aren’t immune to malware but security features are stronger.
Address Space Layout Randomization – incorrect guess may result in the program crashing
Mandatory Driver Signing – prevents unsigned drivers provided by malware from running on the system
Kernel Patch Protection – prevents device drivers from patching the kernel
Data Execution Protection – DEP allows an operating system to mark certain areas of memory as “non-executable
It looks that above 4 items of feature capable to protect the OS system infected by malware. Recall cyber incident history, 1st version of the Stuxnet computer virus that was used to attack Iran’s nuclear program in November 2007, being developed as early as 2005, when Iran was still setting up its uranium enrichment facility. SCADA system compatible with windows 32 bit and 64 bit OS. SCADA manufacturer strongly recommend to use 64 Bit operating systems. The 32 Bit operating systems may be used for compatibility reasons within already existing configurations. Seems we can figure out hints of malware weakness. And speculate that Stuxnet virus infect the SCADA system are run on top of windows 32 bit operating system (OS) instead of 64 bits.
Descendant Of The Malware – embedded new DLL injection technique (reflective DLL injection)
A more sophisticated of DLL injection method, so called reflective DLL injection. It loads code without calling the normal Windows API calls, potentially bypassing DLL load monitoring. Conceptual diagram shown as below:
Above reflective loader function will find the following target:
- Process Environment Block (PEB) of the target process
- suitable CPU register
- the address in memory of kernel32.dll
- and other required libraries
Next step: Find the memory addresses of required API functions such as LoadLibraryA, GetProcAddress, and VirtualAlloc. Relies on these API functions to load the DLL (malware) into memory and call its DllMain entry point.
Remark: What is DllMain Entry point – An optional entry point into a dynamic-link library (DLL). When the system starts or terminates a process or thread, it calls the entry-point function for each loaded DLL using the first thread of the process. The system also calls the entry-point function for a DLL when it is loaded or unloaded using the LoadLibrary and FreeLibrary functions.
In the DllMain function, you can perform only a very limited set of actions. The thing is that some DLL may be not loaded yet, and you cannot call functions from them.
Does it mean that the 64-bit operating systems not easy to implant malware?
All applications except malware would use the standard main memory. The copy (shadow memory) is designed to be used by malware. Shell code might have difficulties to pass though parameters on shadow memory space. The fact is that there are differences between x86 and x64 operating system. The 64-bit addressing capability and a flat set of 16 64-bit registers for general use. If that “shadow space” on the stack was not allocated by the caller, the function may not work as expected.
Remark: In 64 bit OS environment, the allocates pages in the shadow region on demand. That is only when page contains tag information. As every byte of tracked program data need four more bytes for its tag, part of the physical memory footprint of a process increase by a factor of four.
Believe that nuclear power facility still have 32 bit SCADA application in operation. But no harm to keep, the fact is that even though you upgrade to 64 bit OS. It is hard to guarantee you can avoid malware silently implant to your environment.
Below url is the malware attack nuclear power facilities historical information for your reference.