Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, May 12, 2008

Hackers Find a New Place to Hide Rootkits

Security researchers have developed a new type of malicious rootkit software that hides itself in an obscure part of a computer’s microprocessor, hidden from current antivirus products.  Called a System Management Mode (SMM) rootkit, the software runs in a protected part of a computer’s memory that can be locked and rendered invisible to the operating system, but which can give attackers a picture of what’s happening in a computer’s memory.

It was built by Shawn Embleton and Sherri Sparks, who run an Oviedo, Florida, security company called Clear Hat Consulting.

The proof-of-concept software will be demonstrated publicly for the first time at the Black Hat security conference in Las Vegas this August.

The rootkits used by cyber crooks today are sneaky programs designed to cover up their tracks while they run in order to avoid detection.  Rootkits hit the mainstream in late 2005 when Sony BMG Music used rootkit techniques to hide its copy protection software.  For example, two years ago researcher Joanna Rutkowska introduced a rootkit called Blue Pill, which used AMD’s chip-level virtualization technology to hide itself.

“Rootkits are going more and more toward the hardware,” said Sparks, who wrote another rootkit three years ago called Shadow Walker.

SMM dates back to Intel’s 386 processors, where it was added as a way to help hardware vendors fix bugs in their products using software.  The technology is also used to help manage the computer’s power management, taking it into sleep mode, for example. In 2006, researcher Loic Duflot demonstrated how SMM malware would work.  In addition to a debugger, Sparks and Embleton had to write driver code in hard-to-use assembly language to make their rootkit work.

Being divorced from the operating system makes the SMM rootkit stealthy, but it also means that hackers have to write this driver code expressly for the system they are attacking.

http://www.pcworld.com/businesscenter/article/145703/hackers_find_a_new_place_to_hide_rootkits.html

Posted on 05/12
NewsPermalink