Security researchers have developed a new type of malicious rootkit software that hides itself in an obscure part of a computer's microprocessor, hidden from current antivirus products.
Called a System Management Mode (SMM) rootkit, the software runs in a protected part of a computer's memory that can be locked and rendered invisible to the operating system, but which can give attackers a picture of what's happening in a computer's memory.
The SMM rootkit comes with keylogging and communications software and could be used to steal sensitive information from a victim's computer. It was built by Shawn Embleton and Sherri Sparks, who run an Oviedo, Florida, security company called Clear Hat Consulting.
The proof-of-concept software will be demonstrated publicly for the first time at the Black Hat security conference in Las Vegas this August.
...
Blue Pill took advantage of new virtualization technologies that are now being added to microprocessors, but the SMM rootkit uses a feature that has been around for much longer and can be found in many more machines. SMM dates back to Intel's 386 processors, where it was added as a way to help hardware vendors fix bugs in their products using software. The technology is also used to help manage the computer's power management, taking it into sleep mode, for example.
In many ways, an SMM rootkit, running in a locked part of memory, would be more difficult to detect than Blue Pill, said John Heasman, director of research with NGS Software, a security consulting firm. "An SMM rootkit has major ramifications for things like [antivirus software products]," he said. "They will be blind to it."
Researchers have suspected for several years that malicious software could be written to run in SMM. In 2006, researcher Loic Duflot demonstrated how SMM malware would work. "Duflot wrote a small SMM handler that compromised the security model of the OS," Embleton said. "We took the idea further by writing a more complex SMM handler that incorporated rootkit-like techniques."
In addition to a debugger, Sparks and Embleton had to write driver code in hard-to-use assembly language to make their rootkit work. "Debugging it was the hardest thing," Sparks said.
Being divorced from the operating system makes the SMM rootkit stealthy, but it also means that hackers have to write this driver code expressly for the system they are attacking.
"I don't see it as a widespread threat, because it's very hardware-dependent," Sparks said. "You would see this in a targeted attack."
But will it be 100 percent undetectable? Sparks says no. "I'm not saying it's undetectable, but I do think it would be difficult to detect." She and Embleton will talk more about detection techniques during their Black Hat session, she said.
Brand new rootkits don't come along every day, Heasman said. "It will be one of the most interesting, if not the most interesting, at Black Hat this year," he said.
------------------------------
I will be at this talk for sure.....
And of course, noone speaks about the related Phrack article ....
ReplyDeletehttp://www.phrack.org/issues.html?issue=65&id=7#article