Anti Rootkit Blog

John Heasman of Next Generation Security Software Ltd is well known for bringing us a research paper on how rootkits could use the Power Management section of a BIOS to hide itself. This paper showed us how rootkits could move away from residing on a users Hard Drive and onto a computer chip on a Motherboard. John has come up with a new research paper entitled “Implementing and Detecting a PCI Rootkit” in which he shows us how to plant a rootkit on a regular device like a Sound Card or Modem plugged onto a computer motherboard.

The research paper, avail for download as a 15 Page PDF, shows how to implement and detect a PCI Card rootkit that can be used for any operating system like XP or Linux to name but two.

PCI Rootkits can reside on Sound Cards, Modems, Network Cards, Capture Cards or any other PCI device that has an Expansion ROM and no Trusted Pltform Module or ROM write protection. Most current PCI devices are suseptible to this form of Rootkit infection although newer models have some form of ROM protection.

An attacker can place rootkit code in an Expansion ROM of any PCI device that has no ROM protection. When the PC boots up the code in the ROM is called up by the PC startup sequence (POST - Power On Self Test). The code that runs can in turn be used to “fool” the booting Operating System that there is no threat aboard.

This research paper was published so that Anti Rootkit software makers can adapt to any potential threat of a rootkit attack via the PCI Bus.

Keep Safe

regards
Steo

The Black Hat Briefings in Las Vegas are a pointer as to the direction that particular IT trends are going. With six presentations this year dedicated to Rootkits it shows that Rootkits are fast becoming a bigger threat to users.

Gone are the days when authors wrote Rootkits for bragging rights. They are now written more by attackers trying to get their hands on sensitive information that users may have on their PC or companies on their network.

Currently to method of installing and running rootkits is to place them on the hard drive of a persons PC and get the rootkit to hide itself from all but the best anti rootkit scanner.
This year at Black Hat Joanna Rutkowska, a senior researcher at COSEINC, a Singapore-based security company, demonstrated how rootkits could be installed at an ever lower level than they are at the moment and thus provide more stealth und ultimately more longevity

Joanna Rutkowska showed how she could use AMD’s Pacifica hardware virtualization to install a rootkit and malware into Microsofts new Operating System called Vista. Another similiar method using Intel’s VT-x virtualization extension can also be used. According to Dino Dai Zovi, principal with Matasano Security LLC, rootkit authors can use VT-x to install the malicious code that is inaccessible to the running operating system, hiding and controlling access to blocks on a disk.

There is also Proof of Concept code available to install rootkits into the BIOS of your computer, although this is hard to achieve and there are no known active rootkits circulating.
John Heasman has been playing with the ability to use the Advanced Configuration and Power Interface specification for power management functions in most computers to copy data from the BIOS to the operating system. “It continues to surprise me what you can do with it,” he said. This sort of rootkit would be survive reboots and would be hard to find.

There are some interesting days ahead in the rootkit world and researchers like Joanna Rutkowska and John Heasman are way ahead in their thoughts on the next attack vector.

What ever will be next?

Keep Safe

regards
Steo
www.antirootkit.com

John Heasman, principal security consultant for UK based Next-Generation Security Software has demonstrated at the Black Hat Federal conference in Amsterdam recently how rootkit’s are headed for the BIOS.In a number of demonstrations Heasman showed how to elevate privileges and read physical memory, using malicious procedures that replaced normal functions stored in flash memory.

Researchers at the conference are divided as to how this sort of rootkit will progress. While there may well be rootkit’s written in the near future using flash memory their effectiveness may be reduced by the fact that many motherboards have flash memory protected. When the rootkit attempts to write to the flash memory it is stopped in its tracks.

While the effectiveness of BIOS rootkit’s seems small at the moment, one can imagine incidents of where motherboard flash memory is has the write protect removed or a rootkit installed in the manufacturing plant by a rogue employee. This sort of rootkit could also be installed by a trusted person at a large corporation who would have access to a turning off the flash memory write protect by switching jumpers on the motherboard.

John Heasman’s full demonstration Implementing and Detecting an ACPI BIOS Rootkit can be found here.

Keep Safe

regards
Steo
www.antirootkit.com