Random question

[Morororo]

I randomly thought, if a hacker can turn an application into malware(spyware, virus, etc) is it possible to turn os like windows into some sort of malware? And if its possible, can antivirus or antimalware detect it?

[mahyar]

1-yes 2-it depends

[Morororo]

So if your computer is installed with the os you cant detect it and the hacker can just get all your data?

[Eigenvektor]

10 minutes ago, Morororo said:

So if your computer is installed with the os you cant detect it and the hacker can just get all your data?

By definition an OS has full control over your computer. It can do things even an administrator can't do. So it is hard to protect yourself against an operating system that is malicious (e.g. encrypts your data and demands a ransom?). It would be a lot easier for the OS to do this stuff, since it doesn't even have to escalate privileges or exploit security flaws. It is the one enforcing them in the first place.

 

It would be fairly difficult for anti-malware to protect you, since it has to use APIs provided by the OS to be installed and run. So in a sense your anti-malware would have to be the one to exploit flaws in the OS to install itself and then e.g. disable malicious functions baked into the OS.

[Catsrules]

39 minutes ago, Morororo said:

I randomly thought, if a hacker can turn an application into malware(spyware, virus, etc) is it possible to turn os like windows into some sort of malware? And if its possible, can antivirus or antimalware detect it?

Sure, for example there are some pirated version of windows out there that have Malware built into them. You install the OS and your already infected.

 

It depends if the Antivirus had definitions about the specific malware. But if the malware is just infecting the OS level then yes the Antivirus can detect it and possibly remove it. (Again assuming it has the definitions about the specific malware.

 

Now the really scary stuff is firmware infections. Like stuff that can infect Motherboard BIOS or firmware on hard drive, network cards etc. That probably wont get detected by an AV. But those are very rare and usually only are seen on very targeted attacks between nation states or corporate espionage

 

 

Ahh @Eigenvektor bring up a good point OS level malware could hide itself from the AV because it can tell the OS to lie to the AV software about what it is doing. As the AV software needs to rely on the OS to preform its functions. But one way around this would be to boot into a live CD and preform the AV scans from there. This way the AV software is using the Live CD OS and not the main infected OS.

[Eigenvektor]

21 minutes ago, Catsrules said:

Ahh @Eigenvektor bring up a good point OS level malware could hide itself from the AV because it can tell the OS to lie to the AV software about what it is doing. As the AV software needs to rely on the OS to preform its functions. But one way around this would be to boot into a live CD and preform the AV scans from there. This way the AV software is using the Live CD OS and not the main infected OS.

Right. I was mainly thinking about a modified OS where the malicious part is built right into the kernel itself. The only way to disinfect would essentially be a re-installation, since the OS itself is the malware. So it wouldn't really be possible to "disinfect" it. And it would be fairly hard to detect, since the OS could lie about anything it is doing.

 

For example you could make it so the OS simply sends everything stored on its hard drive somewhere else for analysis. As you said, this is probably not something you'd do to random users and more of a targeted attack, e.g. espionage.

 

If this isn't caught before installation (e.g. incorrect signature of installer files), the best bet for detection would be suspicious network traffic caused by such a machine.

[Morororo]

Wow this is scary and interesting at the same time XD. Thanks guys for the answer