Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Information Security News: Hackers Find a New Place to Hide Rootkits

Hackers Find a New Place to Hide Rootkits

From: InfoSec News <alerts_at_infosecnews.org>
Date: Mon, 12 May 2008 03:24:33 -0500 (CDT)

http://www.pcworld.com/businesscenter/article/145703/hackers_find_a_new_place_to_hide_rootkits.html

By Robert McMillan
IDG News Service
May 09, 2008

Security researchers have developed a new type of malicious rootkit
software that hides itself in an obscure part of a computer's
microprocessor, hidden from current antivirus products.

Called a System Management Mode (SMM) rootkit, the software runs in a
protected part of a computer's memory that can be locked and rendered
invisible to the operating system, but which can give attackers a
picture of what's happening in a computer's memory.

The SMM rootkit comes with keylogging and communications software and
could be used to steal sensitive information from a victim's computer.
It was built by Shawn Embleton and Sherri Sparks, who run an Oviedo,
Florida, security company called Clear Hat Consulting.

The proof-of-concept software will be demonstrated publicly for the
first time at the Black Hat security conference in Las Vegas this
August.

The rootkits used by cyber crooks today are sneaky programs designed to
cover up their tracks while they run in order to avoid detection.
Rootkits hit the mainstream in late 2005 when Sony BMG Music used
rootkit techniques to hide its copy protection software. The music
company was ultimately forced to recall millions of CDs amid the ensuing
scandal.

In recent years, however, researchers have been looking at ways to run
rootkits outside of the operating system, where they are much harder to
detect. For example, two years ago researcher Joanna Rutkowska
introduced a rootkit called Blue Pill, which used AMD's chip-level
virtualization technology to hide itself. She said the technology could
eventually be used to create "100 percent undetectable malware."

"Rootkits are going more and more toward the hardware," said Sparks, who
wrote another rootkit three years ago called Shadow Walker. "The deeper
into the system you go, the more power you have and the harder it is to
detect you."

Blue Pill took advantage of new virtualization technologies that are now
being added to microprocessors, but the SMM rootkit uses a feature that
has been around for much longer and can be found in many more machines.
SMM dates back to Intel's 386 processors, where it was added as a way to
help hardware vendors fix bugs in their products using software. The
technology is also used to help manage the computer's power management,
taking it into sleep mode, for example.

In many ways, an SMM rootkit, running in a locked part of memory, would
be more difficult to detect than Blue Pill, said John Heasman, director
of research with NGS Software, a security consulting firm. "An SMM
rootkit has major ramifications for things like [antivirus software
products]," he said. "They will be blind to it."

Researchers have suspected for several years that malicious software
could be written to run in SMM. In 2006, researcher Loic Duflot
demonstrated how SMM malware would work. "Duflot wrote a small SMM
handler that compromised the security model of the OS," Embleton said.
"We took the idea further by writing a more complex SMM handler that
incorporated rootkit-like techniques."

In addition to a debugger, Sparks and Embleton had to write driver code
in hard-to-use assembly language to make their rootkit work. "Debugging
it was the hardest thing," Sparks said.

Being divorced from the operating system makes the SMM rootkit stealthy,
but it also means that hackers have to write this driver code expressly
for the system they are attacking.

"I don't see it as a widespread threat, because it's very
hardware-dependent," Sparks said. "You would see this in a targeted
attack."

But will it be 100 percent undetectable? Sparks says no. "I'm not saying
it's undetectable, but I do think it would be difficult to detect." She
and Embleton will talk more about detection techniques during their
Black Hat session, she said.

Brand new rootkits don't come along every day, Heasman said. "It will be
one of the most interesting, if not the most interesting, at Black Hat
this year," he said.

_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com
Received on May 12 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]