[Dailydave] Whitepaper: Implementing and Detecting a PCI Rootkit

Thu Nov 16 18:24:50 Local tim 2006

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That's really cool. One thing Immunity has been investigating is
selling a literal hardware PCI card that you can install into
someone's machine which then infects their system and injects a
callback shellcode. That way if you break into someone's office, you
can throw these PCI cards into a few desktops and then leave, and
you'll get MOSDEF shells at home every day! Nothing to analyze on disk
either. :>

- -dave

John Heasman wrote:
> Hi guys,
>
> I have released a paper entitled "Implementing and Detecting a PCI
> Rootkit" which is available here:
>
>
> http://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdf
>
>
>
>
> I was originally planning to release this early in 2007 but due to
> the recent publication of "BIOS Disassembly Ninjutsu Uncovered" by
> Darmawan Salihun I have decided to publish now (please note, I have
>  not yet seen the contents of this book).
>
>
>
> Abstract:
>
> "In February 2006, the author presented a means of persisting a
> rootkit in the system BIOS via the Advanced Configuration and Power
>  Interface (ACPI). It was demonstrated that the ACPI tables within
> the BIOS could be modified to contain malicious ACPI Machine
> Language (AML) instructions that interacted with system memory and
> the I/O space, allowing the rootkit bootstrap code to overwrite
> kernel code and data structures as a means of deployment.
>
>
> Whilst using ACPI as a means of persisting a rootkit in the system
> BIOS has numerous advantages for the rootkit writer over
> "traditional" means of persistence (that include storing the
> rootkit on disk and loading it as a device driver), there are
> several technologies that are designed to mitigate this threat.
> Both Intel SecureFlash and Phoenix TrustedCore motherboards prevent
>  the system BIOS from being overwritten with unsigned updates.
>
>
> This paper discusses means of persisting a rootkit on a PCI device
> containing a flashable expansion ROM.  Previous work in the Trusted
> Computing field has noted the feasibility of expansion ROM attacks
> (which is in part the problem that this field has set out to
> solve), however the practicalities of implementing such attacks has
> not been discussed in detail.  Furthermore, there is little
> knowledge of how to detect and prevent such attacks on systems that
>  do not contain a Trusted Platform Module (TPM).  Whilst the
> discussion mainly focuses on the Microsoft Windows platform, it
> should be noted that the techniques are equally likely to apply to
> other operating systems."
>
>
>
> Thanks
>
>
> John
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFFXKzxB8JNm+PA+iURAuc0AKDACdosMW8+iLPFGffS85PJWlUi9ACbByh+
7vnHzJxPZ1JDzalLWpPDI5A=
=I7xe
-----END PGP SIGNATURE-----