[Dailydave] Whitepaper: Implementing and Detecting a PCI Rootkit

sinan.eren at immunitysec.com sinan.eren at immunitysec.com
Thu Nov 16 18:47:07 Local tim 2006 

I should also note that when you have a FPGA based solution, there is no 
ROM to be investigated for potential malware. You might still hope to 
detect the subversion in kernel space though, of course that is a bit 
naive, given that you don't know all the possible hooks one can place.

sinan

On Thu, 16 Nov 2006, Dave Aitel wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> That's really cool. One thing Immunity has been investigating is
> selling a literal hardware PCI card that you can install into
> someone's machine which then infects their system and injects a
> callback shellcode. That way if you break into someone's office, you
> can throw these PCI cards into a few desktops and then leave, and
> you'll get MOSDEF shells at home every day! Nothing to analyze on disk
> either. :>
>
> -dave
>
>
> John Heasman wrote:
>> Hi guys,
>>
>> I have released a paper entitled "Implementing and Detecting a PCI
>> Rootkit" which is available here:
>>
>>
>> http://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdf
>>
>>
>>
>>
>> I was originally planning to release this early in 2007 but due to
>> the recent publication of "BIOS Disassembly Ninjutsu Uncovered" by
>> Darmawan Salihun I have decided to publish now (please note, I have
>>  not yet seen the contents of this book).
>>
>>
>>
>> Abstract:
>>
>> "In February 2006, the author presented a means of persisting a
>> rootkit in the system BIOS via the Advanced Configuration and Power
>>  Interface (ACPI). It was demonstrated that the ACPI tables within
>> the BIOS could be modified to contain malicious ACPI Machine
>> Language (AML) instructions that interacted with system memory and
>> the I/O space, allowing the rootkit bootstrap code to overwrite
>> kernel code and data structures as a means of deployment.
>>
>>
>> Whilst using ACPI as a means of persisting a rootkit in the system
>> BIOS has numerous advantages for the rootkit writer over
>> "traditional" means of persistence (that include storing the
>> rootkit on disk and loading it as a device driver), there are
>> several technologies that are designed to mitigate this threat.
>> Both Intel SecureFlash and Phoenix TrustedCore motherboards prevent
>>  the system BIOS from being overwritten with unsigned updates.
>>
>>
>> This paper discusses means of persisting a rootkit on a PCI device
>> containing a flashable expansion ROM.  Previous work in the Trusted
>> Computing field has noted the feasibility of expansion ROM attacks
>> (which is in part the problem that this field has set out to
>> solve), however the practicalities of implementing such attacks has
>> not been discussed in detail.  Furthermore, there is little
>> knowledge of how to detect and prevent such attacks on systems that
>>  do not contain a Trusted Platform Module (TPM).  Whilst the
>> discussion mainly focuses on the Microsoft Windows platform, it
>> should be noted that the techniques are equally likely to apply to
>> other operating systems."
>>
>>
>>
>> Thanks
>>
>>
>> John
>>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFFXKzxB8JNm+PA+iURAuc0AKDACdosMW8+iLPFGffS85PJWlUi9ACbByh+
> 7vnHzJxPZ1JDzalLWpPDI5A=
> =I7xe
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>

More information about the Dailydave mailing list