Archive for January, 2006

Researchers say rootkit’s are headed for BIOS

Friday, January 27th, 2006

John Heasman, principal security consultant for UK based Next-Generation Security Software has demonstrated at the Black Hat Federal conference in Amsterdam recently how rootkit’s are headed for the BIOS.In a number of demonstrations Heasman showed how to elevate privileges and read physical memory, using malicious procedures that replaced normal functions stored in flash memory.

Researchers at the conference are divided as to how this sort of rootkit will progress. While there may well be rootkit’s written in the near future using flash memory their effectiveness may be reduced by the fact that many motherboards have flash memory protected. When the rootkit attempts to write to the flash memory it is stopped in its tracks.

While the effectiveness of BIOS rootkit’s seems small at the moment, one can imagine incidents of where motherboard flash memory is has the write protect removed or a rootkit installed in the manufacturing plant by a rogue employee. This sort of rootkit could also be installed by a trusted person at a large corporation who would have access to a turning off the flash memory write protect by switching jumpers on the motherboard.

John Heasman’s full demonstration Implementing and Detecting an ACPI BIOS Rootkit can be found here.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in BIOS Rootkits, News | No Comments »

Microsoft Takes Another Anti-Rootkit Step

Tuesday, January 24th, 2006

eweek.com has reported that Microsoft have implement tighter security measures in the 64bit Version of their new operating system Vista. Kernel mode drivers will be required to be digitally signed in order to be used. Microsoft will require all drivers to have a PIC (Publisher Identity Certificate) which is based on a Verisign certificate.This is an important step for Microsoft to take and will help to stop many rootkit’s from taking hold. This implementation will not stop all rootkit’s from running as a rootkit author may go and acquire a PIC for themselves and thus the rootkit can be installed legitimately.

This will not stop Usermode rootkit’s that do not need to hook into the kernel, although I’m sure Microsoft will have something up their sleeve with regards to users running malicious code in user land.

This is one good step that Microsoft ar taking in the fight against rootkit’s. It shows that Microsoft are serious about rootkit’s and I am sure that there will be other features in Vista that will make it rootkit unfriendly.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in Microsoft, News, Vista | No Comments »

Harder-to-Detect Oracle Rootkit on the Way

Monday, January 23rd, 2006

Alexander Kornbrust, of Red Database Security has developed Version 2.0 of an Oracle Rootkit which was first unveiled towards the middle of 2005. He will be unveiling his new version at the Black Hat Conference in Las Vegas in July 2006.Creating rootkit’s may seem as hacker activity but Kornbrust has defended his creations by saying that they are to highlight the fact that rootkit’s do exist and can be sued to compromise systems. The same thinking is behind rootkit.com where developers can showcase rootkit’s that they have developed. Publicly displaying rootkit’s can show OS developers how their systems can be used to hide malicious code and that they should be doing something to stop rootkit’s from getting in to the operating system in the first place.

Companies like Oracle and Microsoft need to put mechanisms in place to stop hackers and malware authors using their code to perform malicious activity. Until OS developers come up with a permanent solution rootkit’s will be used. They need to protect their users from the harm that they can do.

Keep Safe

regards
Steo
www.antirootkit.com

Posted in News, Oracle | No Comments »