Rootkits on a PCI Card?
A well-respected British security researcher has found a way to use a PCI device to plant an offensive rootkit on Windows machines. John Heasman, principal security consultant at NGSS (Next-Generation Security Software) released a research paper on the Daily Dave mailing list discussing a means of persisting a rootkit on a PCI device containing a flashable expansion ROM... |
The paper is available here (PDF): Implementing and Detecting a PCI Rootkit.
Abstract:
"In February 2006, [I] presented a means of persisting a rootkit in the system BIOS via the Advanced Configuration and Power Interface (ACPI). It was demonstrated that the ACPI tables within the BIOS could be modified to contain malicious ACPI Machine Language (AML) instructions that interacted with system memory and the I/O space, allowing the rootkit bootstrap code to overwrite kernel code and data structures as a means of deployment.
Whilst using ACPI as a means of persisting a rootkit in the system BIOS has numerous advantages for the rootkit writer over "traditional" means of persistence (that include storing the rootkit on disk and loading it as a device driver), there are several technologies that are designed to mitigate this threat. Both Intel SecureFlash and Phoenix TrustedCore motherboards prevent the system BIOS from being overwritten with unsigned updates.
This paper discusses means of persisting a rootkit on a PCI device containing a flashable expansion ROM. Previous work in the Trusted Computing field has noted the feasibility of expansion ROM attacks (which is in part the problem that this field has set out to solve), however the practicalities of implementing such attacks has not been discussed in detail. Furthermore, there is little knowledge of how to detect and prevent such attacks on systems that do not contain a Trusted Platform Module (TPM). Whilst the discussion mainly focuses on the Microsoft Windows platform, it should be noted that the techniques are equally likely to apply to other operating systems."
Heasman gave a related presentation of this research at the Black Hat Federal conference earlier this year. Rob Lemos at SecurityFocus covered that presentation in detail.
Comments (9)
When companies start putting spyware of anykind on computer hardware, it is time to stop using the internet.
I refuse to buy HP computers because of the Backlight stuff, I don't install any programs that come with say 'harddrives'. I'm waiting for someone to make a windows operating system that will run the programs I now have, then I will never touch Microsoft again. I hate buying software and then going through all the bull it now requires. Companies need to find new ways to protect their copyright. I believe companies like Roxio use invisible windows to stop (legal software)from installing after a couple of years. I see a transparent window popup when trying to install...can't reach them either. I am beginning to despise software companies as much as the hackers!
Posted by Lucy Page | November 21, 2006 8:10 AM
I agree totally, Unfortunately thats what surveillance society we have now - I will never install Vista indeed I have recently installed Suse Linux v10.0 and I must admit im very impressed - I have a funny feeling Microsoft is about to feel the customer biteback once the true colours of Vista and Microsofts outlook for the future is revealed!
The big deal really is the fact that we are so money orientated now - the software companies want every penny they can get to recoup the vast amounts they spend on development - Like movies these days a lot is wasted on pointless additions to the mix - When i used to design 6502 computer games back in the 80's we didnt have game psychologists etc
It was already proven years ago that the advent of mp3 and p2p wasnt the reason for the slow sales of music - it was the cancellation of the tape and vinyl disc format!
Sales of music have now increased but get a music company to admit it is like getting blood out of a stone!
Posted by Gary Gemmell | November 24, 2006 12:25 AM
Well, i know a case of use of this type of technology aplication, change the frecuency of showing by the graphics card to stimulate an hypnotic state on ppl in front of their monitor, then, words, sounds and other sensitivity information is recorded on the brain.
The cons are that this type of attacks are being on all kind of SO because that ACPI is equal on all hardware. And goverments know these things, they use it.
ALL TRUTH.
Posted by Anonimo | November 25, 2006 9:16 PM
Well, i know a case of use of this type of technology aplication, change the frecuency of showing by the graphics card to stimulate an hypnotic state on ppl in front of their monitor, then, words, sounds and other sensitivity information is recorded on the brain.
The cons are that this type of attacks are being on all kind of SO because that ACPI is equal on all hardware. And goverments know these things, they use it.
ALL TRUTH.
Posted by Anonimo | November 25, 2006 9:16 PM
Well, i know a case of use of this type of technology aplication, change the frecuency of showing by the graphics card to stimulate an hypnotic state on ppl in front of their monitor, then, words, sounds and other sensitivity information is recorded on the brain.
The cons are that this type of attacks are being on all kind of SO because that ACPI is equal on all hardware. And goverments know these things, they use it.
ALL TRUTH.
Posted by Anonimo | November 25, 2006 9:17 PM
Thanks for the info! I'll always be sure to wear my tin foil hat from now on!
Posted by Enigma | November 28, 2006 6:00 PM
I think I was hit by this about 1 1/2 ago & have been fighting since. I could write a blog of hows & whys but this isn't the place so I try to limit my comments.
1.Multiple combo's of new boxed small build parts yeilded following on 1st XP install attempt:
BSD-ACPI failure relating to BIOS Shadowing.
Disable unused & not required Mobo features and get other BSD failures.
Same connected to internet-XP installs without error, Only if, mobo feature set is default. THIS IS NOT LOGICAL: XP install should not fail hardware unless connected to internet.
In connection with the miles of other symptoms these systems presented; I believe it is a Malware using ACPI as the door ro grow a VM machine rootkit as the admin god over any install. I believe it passes itself to any hardware with onboard rom that is attached to any affected gear.
I'm not posting here looking for help, but more as a contribuition to the good part of the community.
I may have hardware that I'd be willing to let be "inspected" and practical experiance of how a hack like this could easily be deployed.
Sincerely,
Posted by Hitbythis | December 3, 2006 1:55 PM
MMMM... i know. u can see now... akamai and other "sebnets" into internet. acpi and irq without documentation, can u see?...
50 60hz Arpanet, some decades with same rootkit, social control and manipulation.
They know ur interest so they know what sell to u.
Hourly changes, electric lights and many more that ur little brian never imagined.
And of course, little hackers and big brains murdered
under false accidents.
U can investigate teamspeak dlls to know a few more on the right way.
Criptographyc bits.
Posted by 1 | December 26, 2006 2:15 AM
Well, at the moment all the bios with free memory positions and irq or logic doors without use are open to this kind of attacks.
Posted by anonimo | December 26, 2006 2:19 AM