Whitepaper: Implementing and Detecting a PCI Rootkit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Whitepaper: Implementing and Detecting a PCI Rootkit
From: John Heasman <john@xxxxxxxxxxxxxxx>
Date: Thu, 16 Nov 2006 17:42:23 +0000 (GMT Standard Time)
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hi guys,

I have released a paper entitled "Implementing and Detecting a PCIRootkit" which is available here:



http://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdf

I was originally planning to release this early in 2007 but due to therecent publication of "BIOS Disassembly Ninjutsu Uncovered" by DarmawanSalihun I have decided to publish now (please note, I have not yet seenthe contents of this book).



Abstract:

"In February 2006, the author presented a means of persisting a rootkit inthe system BIOS via the Advanced Configuration and Power Interface (ACPI).It was demonstrated that the ACPI tables within the BIOS could be modifiedto contain malicious ACPI Machine Language (AML) instructions thatinteracted with system memory and the I/O space, allowing the rootkitbootstrap code to overwrite kernel code and data structures as a means ofdeployment.

Whilst using ACPI as a means of persisting a rootkit in the system BIOShas numerous advantages for the rootkit writer over "traditional" means ofpersistence (that include storing the rootkit on disk and loading it as adevice driver), there are several technologies that are designed tomitigate this threat. Both Intel SecureFlash and Phoenix TrustedCoremotherboards prevent the system BIOS from being overwritten with unsignedupdates.

This paper discusses means of persisting a rootkit on a PCI devicecontaining a flashable expansion ROM. Previous work in the TrustedComputing field has noted the feasibility of expansion ROM attacks (whichis in part the problem that this field has set out to solve), however thepracticalities of implementing such attacks has not been discussed indetail. Furthermore, there is little knowledge of how to detect andprevent such attacks on systems that do not contain a Trusted PlatformModule (TPM). Whilst the discussion mainly focuses on the MicrosoftWindows platform, it should be noted that the techniques are equallylikely to apply to other operating systems."




Thanks


John

--
John Heasman
Director of Research
NGS Software Ltd


Tel    +44 (0) 208 401 0070
Fax    +44 (0) 208 401 0076
http://www.ngssoftware.com


The information contained in this email and any subsequent correspondence
is private, is solely for the intended recipient(s) and may contain
confidential or privileged information. For those other than the intended
recipient(s), any disclosure, copying, distribution, or any other action
taken, or omitted to be taken, in reliance on such information is
prohibited and may be unlawful. If you are not the intended recipient and
have received this message in error, please inform the sender and delete
this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission or
use of emails and attachments having left the NGS domain.

Prev by Date: eShopping Cart [injection sql]
Next by Date: Vulnerabilities in Client Service for NetWare
Previous by thread: eShopping Cart [injection sql]
Next by thread: Vulnerabilities in Client Service for NetWare
Index(es):
- Date
- Thread