Hiding a Rootkit In System Management Mode 119
Sniper223 notes a PC World article on a new kind of rootkit recently developed by researchers, which will be demoed at Black Hat in August. The rootkit runs in System Management Mode, a longtime feature of x86 architecture that allows for code to run in a locked part of memory. It is said to be harder to detect, potentially, than VM-based rootkits. The article notes that the technique is unlikely to lead to widespread expoitation: "Being divorced from the operating system makes the SMM rootkit stealthy, but it also means that hackers have to write this driver code expressly for the system they are attacking."
oooooh scary (Score:5, Insightful)
Looks like an argument for openness to me... (Score:4, Insightful)
Invisible to anti-virus? (Score:3, Insightful)
Re:Looks like an argument for openness to me... (Score:3, Insightful)
The second problem is that there is no "administrator", at least no qualified one for most of the home computers in the world. Windows needs some administration, arguably more administration than it gets. Linux can't operate without administration although it can be less frequent but requires more knowledge.
Re:oooooh scary (Score:4, Insightful)
Re:LiveCD (Score:4, Insightful)
It's time to look at the Intel vPro tm. tech that enables this. Look for demo videos online. The level in the BIOS enables remote powering up machines to push OS updates, remote booting repairing crashed/unbootable Windows machines, etc. This protected level of stuff is beyond the OS and even the power switch. IF it can remote boot an unbootable corrupt Windows partition, write fixes to it and boot it up, there just isn't much that a Live CD can hide. You best bet is to use your own known hardware. Turn off the remote management stuff unless your employer is using it. If the employer is using it, their top level management should be able to detect alterations to the protected area.
Re:IPMI Card Vulnerabilities (Score:4, Insightful)