Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security Technology

Hiding a Rootkit In System Management Mode 119

Posted by kdawson from the can-you-see-me-now dept.
Sniper223 notes a PC World article on a new kind of rootkit recently developed by researchers, which will be demoed at Black Hat in August. The rootkit runs in System Management Mode, a longtime feature of x86 architecture that allows for code to run in a locked part of memory. It is said to be harder to detect, potentially, than VM-based rootkits. The article notes that the technique is unlikely to lead to widespread expoitation: "Being divorced from the operating system makes the SMM rootkit stealthy, but it also means that hackers have to write this driver code expressly for the system they are attacking."
This discussion has been archived. No new comments can be posted.

Hiding a Rootkit In System Management Mode More

Hiding a Rootkit In System Management Mode

Comments Filter:

  • oooooh scary (Score:5, Insightful)

    by ILuvRamen ( 1026668 ) on Sunday May 11, 2008 @07:18PM (#23372560)
    Oh boy, I love ridiculously overly dramatic BS! Yes it's very easy for it to hide there and for there to be basically no signs that it's there. OMG everyone run for the hills! Oh wait, malware doesn't just sit there, it does stuff. It runs threads, it reads from and writes files on the hard drive, and it has to at some point send some sort of data over the internet or local network. So yeah, no virus can hide and still cause damage and spread while remaining undetected.

  • Looks like an argument for openness to me... (Score:4, Insightful)

    by fuzzyfuzzyfungus ( 1223518 ) on Sunday May 11, 2008 @08:01PM (#23372784) Journal
    Obviously I don't like hearing about nasty, or potentially nasty, vulnerabilities in common systems; but these sorts of situations do seem like an argument for more openness in computer systems, right down to the dark, embedded corners. Particularly with these dark, embedded, corners taking on more and more functions. If you can pull stuff like this with the BIOS, I hate to think what a full EFI setup could be doing(particularly if the OEM enthusiasm for shittastic bundleware reaches that level of the system). Time and again, we see that we cannot trust what we cannot verify.

  • Invisible to anti-virus? (Score:3, Insightful)

    by DigitAl56K ( 805623 ) on Sunday May 11, 2008 @08:17PM (#23372874)
    The problem with the "invisible to antivirus" argument is that it assumes the system is pre-infected. To root a remote system you need to get the code onto the system and execute the software that puts it in SMM, and during that process any anti-virus is able to inspect it. The question is will the anti-virus heuristics or signature-based methods actually catch it?

  • Re:Looks like an argument for openness to me... (Score:3, Insightful)

    by cdrguru ( 88047 ) on Sunday May 11, 2008 @09:12PM (#23373246) Homepage
    The problem is, you would like to turn the "personal computer" into a something that needs attention and continual review and updating. What 99% of the world wants is an email appliance that they can download the latest neat stuff on. We need to move to more of an appliance that needs less, not more administration.

    The second problem is that there is no "administrator", at least no qualified one for most of the home computers in the world. Windows needs some administration, arguably more administration than it gets. Linux can't operate without administration although it can be less frequent but requires more knowledge.

  • Re:oooooh scary (Score:4, Insightful)

    by ILuvRamen ( 1026668 ) on Sunday May 11, 2008 @10:59PM (#23373908)
    LEARN HOW TO READ! All I said was this particular gloom and doom bullshit is overstated and shouldn't be as feared as they're making it sound. Where the hell did you get "all viruses aren't dangerous" out of that? All I'm saying is every virus can be detected. All these new "unstoppable supervirus: we're all gonna die!" articles are idiotic and wrong.

  • Re:LiveCD (Score:4, Insightful)

    by Technician ( 215283 ) on Monday May 12, 2008 @12:13AM (#23374386)
    and I know that it doesn't solve ALL of the problems but it has to eliminate enouogh problems to be a viable solution.

    It's time to look at the Intel vPro tm. tech that enables this. Look for demo videos online. The level in the BIOS enables remote powering up machines to push OS updates, remote booting repairing crashed/unbootable Windows machines, etc. This protected level of stuff is beyond the OS and even the power switch. IF it can remote boot an unbootable corrupt Windows partition, write fixes to it and boot it up, there just isn't much that a Live CD can hide. You best bet is to use your own known hardware. Turn off the remote management stuff unless your employer is using it. If the employer is using it, their top level management should be able to detect alterations to the protected area.

  • Re:IPMI Card Vulnerabilities (Score:4, Insightful)

    by netcrusher88 ( 743318 ) * <netcrusher88@NosPaM.gmail.com> on Monday May 12, 2008 @04:47AM (#23375530)
    Yes, but presumably you don't let the entire world get on your DC network. If only trusted people access vulnerable systems, the vulnerabilities are less significant. Yes they're still there, and yes there's still a risk, but what would the cost be of replacing or reprogramming all the IPMI cards? Security is all about risk/reward, except with a few more variables. If your demonstrable risk is minimal, the reward to reduce or eliminate it will also be minimal. If the cost outweighs the benefit, it's just bad business. Even if it is a good idea.

Slashdot Top Deals

"God is a comedian playing to an audience too afraid to laugh." - Voltaire

Close