Whitepaper: Implementing and Detecting a PCI Rootkit
Hi guys,
I have released a paper entitled "Implementing and Detecting a PCI
Rootkit" which is available here:
http://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdf
I was originally planning to release this early in 2007 but due to the
recent publication of "BIOS Disassembly Ninjutsu Uncovered" by Darmawan
Salihun I have decided to publish now (please note, I have not yet seen
the contents of this book).
Abstract:
"In February 2006, the author presented a means of persisting a rootkit in
the system BIOS via the Advanced Configuration and Power Interface (ACPI).
It was demonstrated that the ACPI tables within the BIOS could be modified
to contain malicious ACPI Machine Language (AML) instructions that
interacted with system memory and the I/O space, allowing the rootkit
bootstrap code to overwrite kernel code and data structures as a means of
deployment.
Whilst using ACPI as a means of persisting a rootkit in the system BIOS
has numerous advantages for the rootkit writer over "traditional" means of
persistence (that include storing the rootkit on disk and loading it as a
device driver), there are several technologies that are designed to
mitigate this threat. Both Intel SecureFlash and Phoenix TrustedCore
motherboards prevent the system BIOS from being overwritten with unsigned
updates.
This paper discusses means of persisting a rootkit on a PCI device
containing a flashable expansion ROM. Previous work in the Trusted
Computing field has noted the feasibility of expansion ROM attacks (which
is in part the problem that this field has set out to solve), however the
practicalities of implementing such attacks has not been discussed in
detail. Furthermore, there is little knowledge of how to detect and
prevent such attacks on systems that do not contain a Trusted Platform
Module (TPM). Whilst the discussion mainly focuses on the Microsoft
Windows platform, it should be noted that the techniques are equally
likely to apply to other operating systems."
Thanks
John
--
John Heasman
Director of Research
NGS Software Ltd
Tel +44 (0) 208 401 0070
Fax +44 (0) 208 401 0076
http://www.ngssoftware.com
The information contained in this email and any subsequent correspondence
is private, is solely for the intended recipient(s) and may contain
confidential or privileged information. For those other than the intended
recipient(s), any disclosure, copying, distribution, or any other action
taken, or omitted to be taken, in reliance on such information is
prohibited and may be unlawful. If you are not the intended recipient and
have received this message in error, please inform the sender and delete
this mail and any attachments.
The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission or
use of emails and attachments having left the NGS domain.