New virus attacks AMD processors

Security researchers at Symantec have discovered a new proof of concept virus that targets processors AMD rather than operating systems. The worm comes in two versions, targeting 32-bit and 64-bit processors from AMD. Symantec refers to the online pests as w32.bounds and w64.bounds. Because it involves proof of concept code, both viruses are rated as low level threats.

Although at this point it concerns harmless proof of concept code, the virus could be used as a starting point for creating malware that affects computers regardless of the operating system that they run, cautioned Vincent Weafer, senior director of Symantec’s Security Response Group.

“If I can get to the processor level, potentially I can really start tying myself into the core hardware. I can potentially evade some of the kernel protection and user protection. There is an attraction to virus writers to get to the lowest level possible,”.

“Once it runs, I’ve got pretty low level access to that system and I could do pretty well anything that I would want to do.”

But there is a big down side because different processors speak what essentially could be seen as different Operating Code (opcode) languages.

“Typically, going down to the opcode level is not effective, because there are too many variants out there and you end up working on not too many machines, ” said Weafer.

The logical next step would therefore be to combine the 32-bit and 64-bit versions of the malware to create a single virus that can target both chip families. Weafer added that this is easier to do for AMD processors than for 32- and 64-bit Intel chips because the two AMD families are more similar than the Intel ones.

“The author’s intent is really proof of concept, to show that his virus can work and be difficult to detect across multiple processor families. He’s showing his technical competence. But you would not use this technique if you wanted to get a pandemic. You would not use this technique unless it was for a very targeted attack or an academic attack.”

The w32.bounds and w64.bounds viruses infect systems by tying themselves to Windows executable files, which disqualifies them as so-called chip level threats. They do however employ elements of such attacks by showing an ability to executive chip level assembly code.

The last large scale outbreak of a chip level threat dates back to 1998. The CIH/Chernobyl then embedded itself into the flash-BIOS of several million computers and on the 13th anniversary of the nuclear disaster in the city destroyed all data. Chernobyl originated in South Korea, where it was estimated to cause $250m in damages.

Chip level threats are rare today. Viruses targeting operating systems are easier to design and the market dominance of the Windows operating system provides virus writers with a rich hunting ground.—-Thanks to Tom Sander for this information

2 comments so far

  1. markofando on

    Want to start your private office arms race right now?

    I just got my own USB rocket launcher 🙂 Awsome thing.

    Plug into your computer and you got a remote controlled office missile launcher with 360 degrees horizontal and 45 degree vertival rotation with a range of more than 6 meters – which gives you a coverage of 113 square meters round your workplace.
    You can get the gadget here:

    Check out the video they have on the page.


    Marko Fando

  2. PetKeeceTab on

    There’s one special secret Sale link on Amazon:

    This is open every Friday and ONLY on Fridays!

    You can find very good discounts here, although some Fridays you can really get
    lucky and make off like an Amazon bandit – I´ve seen discounts there as low as 75%
    off sticker Price.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: