Hiding a Rootkit In System Management Mode 119
Sniper223 notes a PC World article on a new kind of rootkit recently developed by researchers, which will be demoed at Black Hat in August. The rootkit runs in System Management Mode, a longtime feature of x86 architecture that allows for code to run in a locked part of memory. It is said to be harder to detect, potentially, than VM-based rootkits. The article notes that the technique is unlikely to lead to widespread expoitation: "Being divorced from the operating system makes the SMM rootkit stealthy, but it also means that hackers have to write this driver code expressly for the system they are attacking."
LiveCD (Score:2, Interesting)
I do all my internet banking via freeBSIE now - yes it takes a veeeeery long time to boot, and I know that it doesn't solve ALL of the problems but it has to eliminate enouogh problems to be a viable solution.
Agree / disagree ?
Difficult in practice (Score:5, Interesting)
Re:hmm (Score:3, Interesting)
There could be something to this (Score:4, Interesting)
It seems to me that this would be exactly the sort of thing you'd look for. Military machines are specced very precisely, you'd know exactly what hardware was on the system so drivers wouldn't be much of an issue.
All you'd have to do is sneak your code in here once, and the timebomb would be ticking for when you want to activate it. Yeah, it wouldn't be easy to get it on there, but it means breaking through once allows you to lay a trap for another time. That sounds pretty serious to me.
Re:Difficult in practice (Score:4, Interesting)
IPMI Card Vulnerabilities (Score:4, Interesting)
What about vulnerabilities in onboard IPMI [wikipedia.org] cards? Our new servers have ARM-based cards running Linux. The built-in HTTP server is vulnerable to a widely-known buffer overflow:
landonf@ahost:~> telnet XXX.XXX.XXX.XXX 80Trying XXX.XXX.XXX.XXX...
Connected to XXX.XXX.XXX.XXX.
Escape character is '^]'.
GET
Connection closed by foreign host.
landonf@timor:~> telnet XXX.XXX.XXX.XXX 80
Trying XXX.XXX.XXX.XXX...
telnet: connect to address XXX.XXX.XXX.XXX: Connection refused
Seems like a recipe for compromised data centers, to me. Re-imaging a machine won't touch the IPMI card.
Re:oooooh scary (Score:1, Interesting)
How specific of a target? (Score:4, Interesting)
TFS says the code must be specifically targeted to a particular machine which, on a PC, means a very big challenge.
On a Mac, however, you could easily target a very large number of people using only a very small number of hardware variations. Could this exploit be better suited to Macs than PCs? On the other hand, it also seems like it would be equally easier to detect the problem, since your algorithm can be fairly specific (both in terms of Macs and PCs), since the code needed to exploit would be rather specific.
Re:oooooh scary (Score:4, Interesting)
You can even have it trigger on the first BIOS calls of the windows bootloader so that you can easily overwrite the SMM memory regions in a nice and portable way.
Re:There could be something to this (Score:2, Interesting)
They were using eBay to track down replacements.
General Software BIOS (Score:1, Interesting)
Re:oooooh scary (Score:4, Interesting)
Re:Invisible to anti-virus? (Score:3, Interesting)
Malware writers ain't dumb. They know they are the offensive player in that game and they use that advantage.