<<< Date Index >>>     <<< Thread Index >>>

Whitepaper: Implementing and Detecting a PCI Rootkit



Hi guys,


I have released a paper entitled "Implementing and Detecting a PCI Rootkit" which is available here:


http://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdf


I was originally planning to release this early in 2007 but due to the recent publication of "BIOS Disassembly Ninjutsu Uncovered" by Darmawan Salihun I have decided to publish now (please note, I have not yet seen the contents of this book).


Abstract:

"In February 2006, the author presented a means of persisting a rootkit in the system BIOS via the Advanced Configuration and Power Interface (ACPI). It was demonstrated that the ACPI tables within the BIOS could be modified to contain malicious ACPI Machine Language (AML) instructions that interacted with system memory and the I/O space, allowing the rootkit bootstrap code to overwrite kernel code and data structures as a means of deployment.

Whilst using ACPI as a means of persisting a rootkit in the system BIOS has numerous advantages for the rootkit writer over "traditional" means of persistence (that include storing the rootkit on disk and loading it as a device driver), there are several technologies that are designed to mitigate this threat. Both Intel SecureFlash and Phoenix TrustedCore motherboards prevent the system BIOS from being overwritten with unsigned updates.

This paper discusses means of persisting a rootkit on a PCI device containing a flashable expansion ROM. Previous work in the Trusted Computing field has noted the feasibility of expansion ROM attacks (which is in part the problem that this field has set out to solve), however the practicalities of implementing such attacks has not been discussed in detail. Furthermore, there is little knowledge of how to detect and prevent such attacks on systems that do not contain a Trusted Platform Module (TPM). Whilst the discussion mainly focuses on the Microsoft Windows platform, it should be noted that the techniques are equally likely to apply to other operating systems."



Thanks


John

--
John Heasman
Director of Research
NGS Software Ltd


Tel    +44 (0) 208 401 0070
Fax    +44 (0) 208 401 0076
http://www.ngssoftware.com


The information contained in this email and any subsequent correspondence
is private, is solely for the intended recipient(s) and may contain
confidential or privileged information. For those other than the intended
recipient(s), any disclosure, copying, distribution, or any other action
taken, or omitted to be taken, in reliance on such information is
prohibited and may be unlawful. If you are not the intended recipient and
have received this message in error, please inform the sender and delete
this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission or
use of emails and attachments having left the NGS domain.