Rootkit In a Network Card Demonstrated 112
KindMind notes coverage in The Register on a researcher who has developed a firmware-based rootkit that resides in a network card. Here is the developer's blog entry. "Guillaume Delugré, a reverse engineer at French security firm Sogeti ESEC, was able to develop proof-of-concept code after studying the firmware from Broadcom Ethernet NetExtreme PCI Ethernet cards... Using the knowledge gained from this process, Delugré was able to develop custom firmware code and flash the device so that his proof-of-concept code ran on the CPU of the network card."
Need hardware IOMMU (Score:5, Interesting)
An attacker would then be able to communicate remotely with the rootkit in the network card and get access to the underlying operating system thanks to DMA."
Not if the CPU had IOMMU hardware that was configured to only allow the network card to write to the proper memory area.
However, this still would not protect against the network card forging data, manipulating packets before passing them to the OS, for example manipulating packets to be malformed so to exploit an OS security vulnerability, emitting packets the OS did not generate (such as ICMP pings, or other packets for a hardware-based DDoS emitted without assistance from host OS.. or connecting to a P2P network of compromised NICs to form a spam-sending botnet, without host involvement.
The possibility also exists of capturing packets crossing the NIC and forwarding samples to an outside address, or manipulating aspects of packets to create an "open proxy" the host does not know about, enabling IP spoofing, cache poisoning, or opening other vulnerabilities that don't require manipulation of the host itself.
I wonder about the next gen of attacks... (Score:5, Interesting)
I'm sure people are familar with LoJack for Laptops, where either due to a hook in BIOS (Dells and HPs have an option that will reinstall the LoJack software even if the BIOS is reflashed and all disks are zapped) or other means it gets loaded.
I can see this happening with malware, especially on a NIC with DMA access. Even if a machine is completely DBAN-ed, the botnet client will silently reinstall itself. As more devices (keyboards and such) have ROMs that can be flashed, we will see more and more devices have this avenue for compromise.
How to fix? The obvious fix would be signing the flash BIOS, but this completely locks out homebrewers wanting to do something different. Another fix would be having the flash process be offline, such as only though a USB port with a usb flash drive. However, NICs won't have USB ports present. Still another possible avenue would be a slot for a MicroSD card, but that adds complexity to the device. So, this isn't something easy to deal with. The only thing that might come close would be a DIP switch toggle to allow for unsigned images to be flashed (which is shipped off), and all updates signed.
Re:Need hardware IOMMU (Score:2, Interesting)
Yes, but wouldn't the network card's limited hardware be a problem? I mean if you want to make a spam bot / P2P, etc., the code+data will have to fit in whatever RAM or EEPROM capacity the network card has.
Comment removed (Score:3, Interesting)
He Is A Reverse Engineer (Score:2, Interesting)
BIOS boot process is also vulnerable... (Score:3, Interesting)
I recall this article [ksplice.com] that hypothetically starts by using the BIOS extension ROM function to hook into GRUB and modify it, then the modified GRUB loads and patches the kernel to host a rootkit, then runs that.
So instead of a smart peripheral with onboard processor and firmware, the dumb ones are affected as well (which only requires the BIOS extension ROM interface).
Even though BIOS is on its way out (we can't MBR-boot >2TiB drives anymore, so we have to use GPT) and EFI is on its way in, we're still stuck because EFI has similar features. Apple's video cards for Mac Pros have both BIOS extension ROMs and EFI ROMs.
Re:Scary (Score:3, Interesting)
Modded funny but should be informative.
No seriously - Dell Technical support will walk you through the most bizarre troubleshooting tips - and on the odd time it works.
One time we had a desktop that was bluescreening right after post - and would bluescreen if we tried to re-install Windows. It would bluescreen if we tried to get into the windows repair console.
After calling Dell, they simply made me go into the Bios, switch it off AHCI to Serial ATA, reboot, go back into the bios, switch it back to AHCI, reboot, and it worked perfectly again, no reinstall needed, no chkdsk even.
I remember he explained it very very quickly using a lot of hard drive jargon that I'm not familiar with - and I was so flabbergasted that it just went completely over my head anyways.