Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rootkit Could Hide In PCI Cards

Posted by ryuzaki0 on from the or-under-the-bed dept.

Reverse Gear writes "SecurityFocus has an interesting article about a paper published on the possibility of hiding a rootkit in different PCI cards and having the rootkit survive a reboot or cleansing of the hard disk. It seems though that the author of the article doesn't think this would be abused frequently. From the article and paper: '(Because) enough people do not regularly apply security patches to Windows and do not run anti-virus software, there is little immediate need for malware authors to turn to these techniques as a means of deeper compromise.'"

134 comments

  1. Computers are at their hearts.... by DoraLives · · Score: 2, Insightful

    ....fundamentally flawed devices.

    Kinda like the people who build and operate them.

    --
    Is it fascism yet?
    1. Re:Computers are at their hearts.... by Threni · · Score: 4, Informative

      Whenever someone goes on about `trust` and computers, show them this:

      http://cm.bell-labs.com/who/ken/trust.html

      (Some people attempt to continue babbling, talking of new detection techniques, and expensive hardware, but you'll have done your bit.)

    2. Re:Computers are at their hearts.... by Anonymous Coward · · Score: 0

      How is execute conrol passed to the PCI card without the OS?
      How is the Virus program retained?
      and Do all PCI cards have permanent memory such as flash or battery backup that allow for this ? I doubt it!
      Eeven if it works on one PCI card that has perm memory, for it to be a Real danger and Not Just FUD, it must work on most PcI cards.
      Is this the case?
        If its stored in a PC with RAM or non- permanent memory the Virus or whatever is gone at power off , Power off may be defined in some computers by unplugging it as many computer keep the 5 volt line active to many cards which allows RAM contents be to retained. In that case disconnecting the AC power will destoy the Rams contents along with the problem .
      I don't doubt a virus can be save in 'A PCI card /, Can it be saved in Most PCI cards ?
      If not we have FUD!

      researchers can be very a very smart people but they far too often forget the obvious
      Everyone's hardware does'nt necessarily work as theirs does !!

    3. Re:Computers are at their hearts.... by jabuzz · · Score: 2, Informative

      Because lots of expansion cards have BIOS's option ROM's http://en.wikipedia.org/wiki/BIOS#Firmware_on_adap ter_cards
      Most noticable are video cards which *all* have one, most RAID cards, all bootable SCSI cards, and many network cards. All option ROMS are enumerated automatically by the BIOS at boot time and if present run.

    4. Re:Computers are at their hearts.... by Anonymous Coward · · Score: 0

      Your Logic does not support this working over a broad range oi hardware, but onlky over a very narrow range of hardware
      read on..
      The authors question stands
      what exists in common ?
      What are drivers ?
      Drivers exist because hardware is all different not because it's the same
      One cannot write any program / virus that executes over a broad range of Pci devices unless they have found something in common with all. PcI cards are not like RS-232 or keyboards , their addresses ports and capabilities are determined completely by the hardware and accessed by a driver A specific driver, the Engineer can put his/; her PCI cards I/O ports and memory anywhere the drivers Job is to communicate that to the common Os
      they are all at different addresses and ports
      Study microprocessor' and how hey do I/O and run programs and access ports and memory:
      Once you do that ,you will see why such a thing can never likely harm a broad range of PCi hardware
      A virus is a program, it's instructions must be in common with most everything otherwise it cant propagate.
        it must exploit things in common!
          any diffences makes it useless . nobody will doubt these folks have a program that resides in a PcI memory of some sort and survives an OS change hard disk change, How wide a range of hardware over which it works is the big dubious question

    5. Re:Computers are at their hearts.... by eMbry00s · · Score: 1

      No, no. They generally work as designed. :)

    6. Re:Computers are at their hearts.... by Anonymous Coward · · Score: 0

      Certainly residency in any permanent memory device is possible but the term Virus was used

      I see no way for it to reliably propagate between machines So is it a real problem ?

    7. Re:Computers are at their hearts.... by HomelessInLaJolla · · Score: 1

      This isn't the type of thing that gets used on a large range of hardware to create a botnet or a spam zombie. This is the sort of thing that is used by the a$$wipe that follows you around /. and trolls every post you make--how does he always happen to know when you made a post? Sure he might just read /. constantly but for eff's sakes, he's got to sleep sometimes, doesn't he? This is the sort of thing that's used by that obnoxious #%&@wit op on IRC who, without fail, will arrive three minutes after you do and begin haranguing you--no matter what time of day or night you wake up and decide to log on. This is the sort of thing that's used by that really odd person you met on AIM/Yahoo/MSN/ICQ who never IMs when you're just casually cruising around the 'net but always seems to be there whenever you get into doing something productive.

      Yes, there's such a thing as coincidence, but coincidence has a natural frequency and, when that natural frequency is exceeded then you have to start looking into what other people may call paranoia or conspiracy theory. The fact is that, if it's above the natural level of coincidence, then it's not paranoia or conspiracy--there really is somebody who has embedded a rootkit in your NIC, and used it to store extra functions in your monitor, and uses that to reinfect your OS each time you apply a new patch, reinstall, or change hard drives.

      This is not the sort of attack vector that's used for frivolous collection of pwned boxes. This is the sort of attack vector used for targetted harassment.

      --
      the NPG electrode was replaced with carbon blac
    8. Re:Computers are at their hearts.... by Anonymous Coward · · Score: 0

      That does NOT EXPLAIN how the bad stuff gets into these cards in the first place.

        And your trying to tell us that this firmware this machine code in this Writeable memory
      Moves from machine to machine How ?

      we must assume a level of technical ability
      Remember your Forum peers are often engineers and scientists who don't take kindly to conjecture .

      How does it move from machine to machine, How is it installed ?
      As an engineer /I know that I can learn from this one .
      l
      I want to asses the potential threat level of this so called new firmware exploit ,
      I'm dubious because writable memory has existed for years are we to believe it has not been exploited until now?

    9. Re:Computers are at their hearts.... by starwed · · Score: 1

      I've seen this device used in science fiction before; in Stephen Donaldson's Gap series, a ship's computer technician installs malicious code in the interface cards the various ship systems use to talk to each other. They do a complete reboot of the computer systems, only to find that the virus is still there.

    10. Re:Computers are at their hearts.... by sjames · · Score: 2, Interesting

      The commonality is that all of them can get the machine's CPU to run it by having a simple option rom signature at their beginning. That will assure them of running BEFORE the OS is loaded.

      If that code hooks interrupt vector 0x13, it can then watch the boot process happen and modify code as it loads. It might potentially even virtualize the hardware and push the OS to (effectively) ring 1.

    11. Re:Computers are at their hearts.... by sjames · · Score: 1

      Option ROMs are generally in flash these days. Provided that write cycles to the "ROM" are enabled (common enough), there are standard access sequences to erase and reprogram flash chips.

      One really nasty vector for a related concept would be via DVD-R. Many DVD players can update their firmware by inserting a burned disk. In spite of the many brands out there, there are only a few actual manufacturers and a lot of rebranding.

      As for why none of it has been exploited to date, probably because the bar IS much higher and the OS itself has been such a ripe target so far.

    12. Re:Computers are at their hearts.... by Douglas+Goodall · · Score: 1

      Thats not a bug, thats a feature. It could keep Vista from claiming ring0. I want one. :-)

    13. Re:Computers are at their hearts.... by Raenex · · Score: 1

      What's your point? Ken Thompson's paper shows that if you get compromised at a deep enough level, you can remain compromised. The point of "trusted" computing is to not get compromised in the first place, and to limit the number of attack points.

      You seem to be saying that because there is a deep inherent flaw once a system gets compromised, that we shouldn't try to prevent that compromise from happening. I'm not saying that the current "Trusted Computing" initiative is the right answer (the problem is that it removes choice from the owner of the machine). However, there are other ways to prevent that CD you just bought from Sony from rootkitting your machine, ways that put the ultimate power of what can run on a machine into the hands of the user. We should not abandon them.

  2. Sony by Peturbed · · Score: 3, Funny

    How long before this is in the drm?

  3. Not needed, thanks by dryriver · · Score: 2, Insightful

    Sony's already figured out how to hide rootkits on Audio CDs.

    --
    Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    1. Re:Not needed, thanks by empaler · · Score: 1

      The evil bastards just hid their undocumented feature in the data section of their Audio CD.
      Please, if I'm wrong, someone correct me and point fingers, and laugh at me...

    2. Re:Not needed, thanks by DarkSideofOZ · · Score: 1

      They stopped doing this in Nov, of 2005, and it was done decievingly kind of like the Zango cash bullshit you see ALL OVER THE WEB now, by asking you to agree to a licensed agreement to listen to it on the pc, after which the rootkit infects your pc... once infected it makes your system vulnerable to several known trojans, such as the one for WoW that steals CD keys. The easy avoidance tip is if you plan on ripping a CD from sony, put a piece of tape on the outter edge of the disc to my your drive think its a regular audio cd.

  4. This reminds me of by Anonymous Coward · · Score: 0

    ...Stargate Atlantis, where the Wraith virus aboard the Daedalus hid aboard the small fighters.

    1. Re:This reminds me of by iamdrscience · · Score: 1
      That reminds me of The Wrath featuring a young Charlie Sheen.
      A small desert town has been harassed for months by a gang of drag racers, but so far no one has done anything to stop them. One day, a ghostly black car shows up, challenging members of the group to race, then killing them one by one. Neither the gang nor the police can catch the car or its driver, but some investigating into the gang's past may reveal just who's behind all this.
      Hightlights can be seen here.
    2. Re:This reminds me of by arabagast · · Score: 1

      hm.. isn't that knight rider season 1, episode 3 ? :)

      --
      Doolittle : ...What is your one purpose in life?
      Bomb no.20 : To explode of course.
  5. Really by sharkey · · Score: 5, Funny

    there is little immediate need for malware authors to turn to these techniques as a means of deeper compromise.

    Are you sure? I was at Best Buy, and I could swear that all the CDs for Sony-signed artists had a free NIC included.

    --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  6. cross platform? by KingPunk · · Score: 0

    whats the chance that not only could they hide in pci cards, but other devices?
    and on top of that, what about the cross-platform aspect.

    a *nix/win32/win64 rootkit using virtualization.

    be afraid.. be very very afraid!

    1. Re:cross platform? by Anonymous Coward · · Score: 0

      i agree, the only issue with that would be making code that could adjust to the situation correctly. esp. when dealing not only with hard drives, but with other devices.
      but on top of that, you also first must find the exploit in said device. (herein the challenge lies)

  7. I disagree on this remark: by MtViewGuy · · Score: 2, Interesting

    From the article:

    (Because) enough people do not regularly apply security patches to Windows and do not run anti-virus software, there is little immediate need for malware authors to turn to these techniques as a means of deeper compromise.

    Note that in Windows XP, especially if you have Service Pack 2 applied, the Security Center in Windows XP SP2 nags you enough that you end up installing programs like the free editions of ZoneAlarm firewall and AVG Anti-Virus (in lieu of commercial Internet security suites) and at least reminds you to install security patches from Microsoft when it becomes available.

    1. Re:I disagree on this remark: by 4e617474 · · Score: 5, Insightful

      Actually, it nagged me enough about software piracy that I switched to Linux.

      --
      Finally modding someone offtopic when they rant about what "Begging the Question" means: priceless.
    2. Re:I disagree on this remark: by sm62704 · · Score: 1

      I couldn't switch completely to Linux since I have about 50 gig of data on HDb that Mandrake 10.1 can't access (thinks subdirectories are files, thanks to Microsoft who automatically converted FAT32 to some other file system), so I'm dual boot; Windows for audio (50 gb of MP3s) and Linux for the internet.

      I uninstalled all networking components in Windows and disabled the network card, but somehow I'm still paranoid about the Windows side. Can I still be pwned in Windows over the wire?

      Windows stopped nagging me, I found the place to disable the nags. I wish I could find a Linux driver for a Creative Audigy.

      --
      mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
    3. Re:I disagree on this remark: by XMyth · · Score: 1, Funny

      Yes...infact I'm browsing your music collection now. It sucks.

    4. Re:I disagree on this remark: by KDEWolf · · Score: 1

      It was actually you who converted your filesystem to NTFS, when installing Windows XP. It asks you when installing (and formatting your HD), so you should have known about it before doing so.

    5. Re:I disagree on this remark: by Lorkki · · Score: 1
      I couldn't switch completely to Linux since I have about 50 gig of data on HDb that Mandrake 10.1 can't access (thinks subdirectories are files, thanks to Microsoft who automatically converted FAT32 to some other file system), so I'm dual boot; Windows for audio (50 gb of MP3s) and Linux for the internet.

      Either your Mandrake installation has an extremely old NTFS driver, is misconfigured in some way, or the subdirectories are encrypted or compressed. NTFS read support for Linux has been around for quite some time - even full read-write support exists now and seems to work fine, although it's slow.

    6. Re:I disagree on this remark: by marcosdumay · · Score: 1

      Well, you can always transfer those files to a Linux machine via Samba, FTP, or a lot of DVDs...

      --
      Rethinking email
    7. Re:I disagree on this remark: by Anonymous Coward · · Score: 0

      You are waaayyy too paranoid if you think going that far with Windows will still leave you vulnerable. One of the first things taught in information security classes is that there is no way that you will be 100% completely secure from a hack, no matter what software you are using. I'm sure I am leaving out a few, but there are some easy ways to keep your system secure and very unlikely from being hacked:

      1. Use a software firewall. Windows XP SP2 one has always worked fine for me.
      2. Keep your computer behind a router.
      3. Don't let idiots have administrator access on your machine. This can be said for any operating system.
      4. Keep your computer physically secure. If you are really worried that much about getting "pwned", then there are some things that people majorly overlook when it comes to security. This can be said for any operating system.

      If you still feel that your system is going to get hacked, I would highly suggest seeing a psychiatrist.

      P.S. - Microsoft never converted your FAT32 partition to NTFS, you did. Their software might have prompted you, but I'm not sure how you think they somehow did this. Nevermind. Given your previous statements of paranoia, I take that back.

    8. Re:I disagree on this remark: by wboelen · · Score: 1

      It nagged me enough to turn off the security center :) (but I use Linux most of the time anyway)

    9. Re:I disagree on this remark: by Novus · · Score: 1

      Slightly offtopic, but the emu10k1 driver in ALSA (as in the standard kernel) supports Audigy cards fine. alsaconf should pick it right up.

    10. Re:I disagree on this remark: by jo42 · · Score: 1

      > Windows XP SP2 nags you

      This will shut up WinXP SP2:

      Windows Registry Editor Version 5.00

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center]
      "AntiVirusDisableNotify"=dword:00000001
      "FirewallDisableNotify"=dword:00000001
      "UpdatesDisableNotify"=dword:00000001

  8. This is a serious problem... by __aaclcg7560 · · Score: 5, Funny

    It won't be long before the market is flooded root-kit infected ISA cards.

    1. Re:This is a serious problem... by RubberDogBone · · Score: 1

      But what will we do about the flood of MCA cards?

      It's the end of the world!!!

      --
      Sig for hire.
    2. Re:This is a serious problem... by unitron · · Score: 1

      Won't someone please think of the S-100s (and all those little S-50s)?

      --

      I see even classic Slashdot is now pretty much unusable on dial up anymore.

  9. not sure what I think about this by Pompatus · · Score: 3, Insightful

    Moreover, computers that use the Trusted Computing Module to protect the boot process will be immune to this type of rootkit compromise, he wrote.

    So basically, this is a well disquised reason to implement the lastest windows DRM

    --

    ----
    Squirrel ... It's not just for breakfast anymore
    1. Re:not sure what I think about this by Ph33r+th3+g(O)at · · Score: 1

      Exactly -- I noticed that little nugget conveniently slipped in there, too. Makes me wonder what stake the author has in TCPA/Palladium/NGSCB/DRM flavor of the month.

      --
      I too have felt the cold finger of injustice.
    2. Re:not sure what I think about this by empaler · · Score: 3, Insightful

      Trusted Computing isn't bad, per se. It's what it is used for.
      I'd love to have uncompromisable equipment.
      Think of it this way; you have a box standing around, just serving. An exploit is found that allows arbitrary code runs, and the particular individual (not a bot) running the arbitrary code scans the hardware, checks it against a list of exploitable units, pulls up the "fix" he needs for that piece of hardware, and bam, you're screwed.
      With TC, you could at least be warned that the equipment is compromised. If you had installed an "unsupported" FW-update to your CD-ROM drive, well, you'd at least know why, but why is the sound card all of a sudden untrustworthy? It seems to work fine...
      But, of course, the emphasis on Trusted Computing isn't end-user security but revenue-stream security. Hooray.

    3. Re:not sure what I think about this by Dunbal · · Score: 3, Insightful

      Read what it says:

      will be immune to this type of rootkit compromise

            However the joy of "Trusted Computing" is that when someone finally DOES find a way to crack it, you'll never know and/or never be able to DO anything about it, apart from throw your computer in the trash.

      --
      Seven puppies were harmed during the making of this post.
    4. Re:not sure what I think about this by msobkow · · Score: 1

      There are many promises being made for TCM/DRM, yet there was apparently an unsigned driver wedged into a Vista system before the OS was even declared RTM. I am in no hurry to presume DRM/TCM will be as effective as some claim. It's theoretical protection capabilities are being advertised, the factual failures of previous attempts such as the XBox security chips are being conveniently "forgotten".

      To claim anything is "immune" from infection ignores three fundamental truths:

      1. The best lock, electronic or otherwise, is only a polite "stay out" request to a professional thief or "black" security operative. Even "hard" encryption is vulnerable to a big enough compute budget.
      2. No matter how well thought out a solution is to a problem like security, some cracker or hacker will think far enough outside the box to find a situation the solution wasn't designed to cover, and poke at it.
      3. No matter how thorough the code reviews and analysis, bugs will happen, including in the DRM/TCM code.

      Aside from that, the concept of infecting devices instead of the core system is not new. I'd heard of a skilled engineer who wrote a "virus" for mainframe devices almost 20 years ago. It would wedge itself into the "smart" controllers of the mainframe slaves (e.g. drive arrays, tape managers, etc.), and as long as any one device wasn't cleaned before power was restored, the whole system would end up infected again. At least it was fairly innocuous -- it would print up "I want a cookie" or some such. Type in the word it wanted at the console and it would let the machine keep running.

      Anything with a EEPROM, FLASH, or other means of updating the firmware could theoretically be infected in this fashion.

      I don't know whether it's urban myth or truth, but it's certainly possible.

      --
      I do not fail; I succeed at finding out what does not work.
    5. Re:not sure what I think about this by sm62704 · · Score: 1

      I'd heard of a skilled engineer who wrote a "virus" for mainframe devices almost 20 years ago.

      The first viruses were written for and on a mainframe in a university setting. IIRC it was sometime in the late 60s. It's been 20 years since I read the book that described it, but it was thought a game; whose virus could kill the other viruses.

      They had boot sector viruses for PCs back as early as 1983, almost as soopn as IBM started making PCs.

      --
      mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
    6. Re:not sure what I think about this by DeadChobi · · Score: 1

      Yeah, but my major objection to TCP is that you don't actually have any control over what's going on in your computer other than turning the module off. I'm not even sure you can turn it off, either. So now you have a chip in your computer that can take control of all the processes in that computer, or at least deny you access. Couple that with the backdoor that I'm sure has been installed and nobody owns their computer anymore. I wouldn't feel as bad about it if there were a jumper on the motherboard that could be used to turn the TCP module completely off.

      I mean, for a while companies were talking about how great it would be if they could get the TCP module to communicate with servers over the internet without your knowledge and WITHOUT YOUR CONTROL. Imagine you're driving along in your new car when suddenly the wheel starts to wrestle with you because the car has been informed that it needs to go somewhere else. Or imagine that it was designed to prevent you from breaking the speed limit at all times, even when you needed to to be safe.

      Imagine that there is someone, out there, that would desperately like to prevent you from truly owning anything and imagine that TCP is their logical first step.

      --
      SRSLY.
    7. Re:not sure what I think about this by coyotecult · · Score: 1

      The game was called Darwin and inspired the Core War game that still has a competition to this day. But I'm not sure if it really counts as a virus?

    8. Re:not sure what I think about this by Anonymous Coward · · Score: 0

      Of course they count as viruses. They just aren't malicious.

  10. Driver issue by Werrismys · · Score: 1

    Just make the peripheral driver run a check on the card firmware before activating it.

    --
    'Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.' - oldhack
    1. Re:Driver issue by Vihai · · Score: 2, Informative

      Useless... if you own the box, you can bypass the driver and program the card's firmware by yourself. It's the card the should do some kind of check on the code which gets uploaded. Been there, done that.

    2. Re:Driver issue by Dunbal · · Score: 1

      Just make the peripheral driver run a check on the card firmware before activating it.

            Great, add another 5MB to the driver why don't you.

      --
      Seven puppies were harmed during the making of this post.
    3. Re:Driver issue by cnettel · · Score: 2, Interesting

      The real problem is of course, as with all code-protection/signing schemes: what about valid uses for modifying the hardware, to allow overclocking, fixing some bug. What might make sense in some configs would be a common physical "write-enable" switch on the machine. Sensible cards could be made to read that switch, while not attempting to verify the code itself. (This could of course be developed further, allow flashing properly signed material even with write disabled, but let the hackers go ahead when they've confirmed it by a physical action.)

    4. Re:Driver issue by Vihai · · Score: 1

      Not a bad idea... unfortunately I've already made the PCBs :(

      I'll keep that in mind for the next release :)

    5. Re:Driver issue by Anonymous Coward · · Score: 0

      The driver i downloaded for my intel wireless card is 92mb. Talk about bloatware.

    6. Re:Driver issue by JasonTik · · Score: 1

      Just make the rootkit return the proper responses to fool the driver.

  11. Hello, is there an editor in the house? by Anonymous Coward · · Score: 0

    "It seems though that the author of the article doesn't think this will be much implemented."

    Me fail English? That's unpossible!!

    1. Re:Hello, is there an editor in the house? by Andrew+Kismet · · Score: 1

      Meaning am clear. Grammar poor by modern way, soon be normal.

    2. Re:Hello, is there an editor in the house? by kwench · · Score: 1

      Excuse me... probably I'm just too dumb to recognize and it keeps haunting me: But what is the actual grammar problem with this sentence?

    3. Re:Hello, is there an editor in the house? by Andrew+Kismet · · Score: 1

      Case in point. Don't worry about it; there isn't a problem any more.

  12. No need to get so fancy, just use a miniature PC by seifried · · Score: 3, Informative

    From RiskBloggers.com:

    Miniature Computers That Can Break Your Network Wide Open

    One aspect of information security that is often under looked is physical security. While attention is often paid to secure areas containing servers, network equipment and telecommunication gear not as much attention has been paid to the fringes of the network. Although some security standards such as 802.1x and various network access control (NAC) products exist that can be used to address the network fringe they all contain one major weakness.

    Assuming a network has implemented end to end security in the form of 802.1x or a network access control (NAC) solution they all make one major assumption: that a man in the middle attack can't be executed once the end point has authenticated. For example 802.1x addresses this directly, if the network port detects that the connection is dropped it requires the end point to re-authenticate before it's allowed to have network access again. If the network hasn't implemented such a scheme then it becomes trivial to execute a man in the middle attack by physically inserting another computer in between the network equipment and the end machine.

    But that would be pretty obvious wouldn't it? I mean you think a user (even the dullest one) would notice a second machine plugged into their network drop, with their computer daisy chained off of it.

    Maybe. Maybe not.

    Read More

  13. Software gives possibility of 'malware' by Anonymous Coward · · Score: 1, Informative

    This is indeed interesting. However, it is kind of inline with the nature of software.

    Wherever there's software, there's always a chance that some form of malware could be written for it.

    The chances could be from

    1) Installation by unsuspecting users

    2) Malware code inserted in the many many lines of non-malware code

    It is very hard to really lockdown software unless it's a computing device not connected online and left to sit in the corner of the room and
    no one installs any other software on it.

  14. Rootkit Could Hide in Your Pants by whoop · · Score: 2, Funny

    The only way to protect yourself from the future is to stop wear pants!!! NOW!!! ... theoretically at least. I read it somewhere I think.

    1. Re:Rootkit Could Hide in Your Pants by Anonymous Coward · · Score: 0

      Only affects females, right?

    2. Re:Rootkit Could Hide in Your Pants by NinjaFarmer · · Score: 1
      Only affects females, right?
      No, guys too.

      I wear a Utilikilt and its totally changed my outlook on life. I've even discovered the method of transition to a moneyless work-ethic society, and no longer want to become rich!
    3. Re:Rootkit Could Hide in Your Pants by smittyoneeach · · Score: 1

      Aye, laddie, but can your pipe move Mt. Fuji?

      --
      Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
    4. Re:Rootkit Could Hide in Your Pants by NinjaFarmer · · Score: 1

      And when it does it will move happily and of its own free will.

  15. USgovt ... think couterveit measures by emptybody · · Score: 2, Insightful

    remember the anti-counterfeiting measures that were secreted into printers?
    what is to stop the Govt from having its own rootkit added to hardware?
    they would have the ultimate supercomputer just waiting for their use.

    --
    comment directly in my journal
    1. Re:USgovt ... think couterveit measures by Anonymous Coward · · Score: 0

      DEAR GOD NOOOOOOO! I really hope you're just being sarcastic.

    2. Re:USgovt ... think couterveit measures by Anonymous Coward · · Score: 0

      From October 2005, here is one slashdot story about anti-counterfeiting measures in colour printers...
      http://yro.slashdot.org/article.pl?sid=05/10/18/12 10237

      (hrmph... my posting captcha is "patriot"...how appropriate)

    3. Re:USgovt ... think couterveit measures by Reziac · · Score: 1

      There are viruses which can propagate via networked printers; what if the printers came with a rootkit all ready to go??

      [pounds more rivets into tinfoil hat]

      --
      ~REZ~ #43301. Who'd fake being me anyway?
    4. Re:USgovt ... think couterveit measures by Anonymous Coward · · Score: 0

      There's no need for the govt to go to such lengths. Windows Update is an ideal vector for delivery of such code: most machines use it automatically every day. A rootkit could be piggybacked on top of an important security fix - it would be installed without question.

  16. bios by Anonymous Coward · · Score: 0

    you can zero out the booting of network devices in the bios, the simple way is to keep all bev devices at the bottom of the boot list but that can be worked around still.

  17. Computers are at their hearts.... by goombah99 · · Score: 2, Funny

    ....general purpose voting machines.

    --
    Some drink at the fountain of knowledge. Others just gargle.
  18. Old News. by WK1 · · Score: 1

    This has been mentioned hundreds of times. There are plenty of places to store viruses and root kits. The script kiddies don't know how to do anything this complex, and it has less value/time payoff for hackers. There are also compatibility issues.

    In general, viruses/root kits are stored on the hard drive, and run by the OS, just like any other program. They can also be stored in the BIOS, or Hard drive/Cdrom/PCI Card/AGP Video Card firmware. A root kit could be stored just about anywhere. Fortunately, they aren't. Or are they?

    Point is, this isn't news.

    1. Re:Old News. by sm62704 · · Score: 1

      I would think rooting a bank president's computer or a voting machine would be valuable enough for a little work. Retire after one job!

      --
      mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
    2. Re:Old News. by flyingfsck · · Score: 1

      Hmm, it would be more fun to store a rootkit on a printer - more memory than a PCi card, accessed by lots of machines and never scanned for malware, but implementing something like that is complex. Since Windoze has no shortage of simple exploits, that will remain the preferred method.

      --
      Excuse me, but please get off my Pennisetum Clandestinum, eh!
  19. Rom Based Systems by nurb432 · · Score: 0

    Cant remember a virus that would permanently effect my Atari ST.

    Should have stuck with that concept, we dont need 5gb OS's sitting out on a writeable harddrive somewhere. Such a waste of resources and increased risk.

    And before you bitch about "get out of the 80's" bla bla bla, keep in mind even XP embedded can run out of ROM ( and besides, i have yet to see a modern OS that is more resource friendly and 'better' then the old TOS/GEM combination. ).

    --
    ---- Booth was a patriot ----
    1. Re:Rom Based Systems by Yetihehe · · Score: 1

      I'll just wait for writable roms, so I could upgrade it with newer version of my favorite system. And how can you be sure that in your favorite rom there is no virus?

      --
      Extreme Programming - Redundant Array of Inexpensive Developers
    2. Re:Rom Based Systems by Anonymous Coward · · Score: 0

      i have yet to see a modern OS that is more resource friendly and 'better' then the old TOS/GEM combination

      Effing ST weenies. How about http://www.aros.org/, then? It's an opensource AmigaOS reimplementation, runs on x86, even. As ANY Atari ST user knows in his heart of hearts, Amiga kicks Atari arse, always has done, always will. TOS/GEM? Pah! How's your multitasking going? Oh yeah, YOU SUCK.

      AMIGA 4 EVER!!! AMI RULEZ, ST DROOLZ!!!

    3. Re:Rom Based Systems by Anonymous Coward · · Score: 0
      Effing ST weenies. How about http://www.aros.org/, then? It's an opensource AmigaOS reimplementation, runs on x86, even. As ANY Atari ST user knows in his heart of hearts, Amiga kicks Atari arse, always has done, always will. TOS/GEM? Pah! How's your multitasking going? Oh yeah, YOU SUCK.


      Here kid, here's a nickel. Go buy yourself a real computer.

      Old baldheaded guy wiht a beard skulks back off to the machine room loaded with VMS and UNIX
    4. Re:Rom Based Systems by Anonymous Coward · · Score: 0

      Cant remember a virus that would permanently effect my Atari ST.

      I do remember the "Clock" virus rumor on the Amiga, that spoke of viruses hiding in some unused bits in the non-volatile Clock/Calendar function built into every Amiga.

    5. Re:Rom Based Systems by Anonymous Coward · · Score: 0

      Amiga kicks Atari arse, always has done, always will.

      You mean the Video Toaster? That's all the Amiga was good for... And yes, the Atari ST sucked ass...

      x86 for ever, biznatch!

  20. Theft reporting by Anonymous Coward · · Score: 0

    Could this be used to implement code in the hardware that will send emails and tracking information if the computer is stolen? If it's in the video card perhaps even get it to send screenshots to rightful owner.

  21. Enormous Usage Possibilities by mvea · · Score: 5, Interesting

    Regardless of the author's Borat style choice of words, that's a damn near stroke of brilliance with many different combinations of implementation. Using the BIOS extensions from expansion card ROMs would allow more than simply hooking into a booting Windows system. It's a near perfect delivery mechanism for a Blue Pill style of rootkit.

    The best implementation, though, would be to use a variety of stages. Custom craft a bootable USB key to target flash ROMs. There's plenty of storage available on today's flash drives which would allow a variety of "alternate" ROMs to be stored. The attacker could seed the flash drive with customized ROMs for the most frequently purchased cards and then simply have the key detect the present hardware and flash. This of course, would require physical access but there are plenty of systems to be had at an office by simply sticking in the key and rebooting them after hours.

    But I mentioned multi-stage and Blue Pill. The fastest way to make it a reality would be for the "rootkit key" to do more than just flash some ROMs. Perhaps integrate re-partitioning schemes from products like iPartition or PartitionMagic to make oneself a happy hacker partition. This would normally be quite detectable ... unless you had control of the BIOS. These ROM extensions could be used not as an attack vector, but as a cloaking measure - by commandeering the BIOS 10h functions and "hiding" calls to the new partition unless an appropriate "register knock" took place.

    With the partition hidden appropriately, the rootkit code no longer has to be excessively tight and lean because there is almost no exposure (because it will be cloaked during the BIOS boot process). Now, if the processor incorporates the appropriate virtualization features, the ROM extension could pervert the boot process one more time, by redirecting the bootcode search from the REAL bootsector to the hidden partition. The rootkit partition then has all the room it needs to establish the appropriate virtualization environment, boot the operating system like normal and then stroll through its library of OS tools to integrate itself post-boot into any number of target OS's.

    bootup code procedures http://www.omninerd.com/2005/11/05/articles/40
    rootkit fundamentals http://www.omninerd.com/2005/11/22/articles/43

    --
    When you understand your disbelief in other gods, then you will understand my disbelief in yours.
    1. Re:Enormous Usage Possibilities by Reziac · · Score: 1

      Back in the caveman era, there was thought that the NVRAM in modems could be used to hide something like a boot sector virus. Far as I know, no such thing was ever seen in the wild; don't know if there were ever any proofs of concept.

      Might have been rather difficult to implement, tho, given the lack of brains in ISA devices.

      --
      ~REZ~ #43301. Who'd fake being me anyway?
    2. Re:Enormous Usage Possibilities by C32 · · Score: 1

      Sorry, modern OS's don't access the disks via BIOS. It's direct IO.

      Not to say the whole thing can't work, but it'd have to be a more complex solution where the rootkit code hooks into the OS kernel itself (disk.sys or whatnot), which would require having OS-specific code in ROM.

      (why would you even want to have a hidden partition -- assembly language rootkits are only a few tens of KB in size).

    3. Re:Enormous Usage Possibilities by OriginalArlen · · Score: 1

      Hey, you seem to know what you're talking about. You know Immunity are looking at actually building these?

      --

      Everything I needed to know about life, I learnt from Blake's Seven
    4. Re:Enormous Usage Possibilities by mvea · · Score: 1

      I know that modern OS's don't use the BIOS - but they do when they're loading. Prior to having the system instantiated, using the BIOS is the only way to get the system physically off the disk and into RAM. It's during that phase, that a rootkit has an interesting opportunity for breaking into the system. Prior to Windows, Linux, BSD, what-have-you even loads, the BIOS will scan for expansion ROMs and that provides a unique opportunity to get a rogue monitor into place. The virtualization in essence, brings back the notion of old-school TSR (terminate stay resident) style programming. The rogue monitor has it's chance to do whatever it wants before the system loads and then loads the system transparently. Later on, it can pick and choose it's way into the guest at its leisure. At that point, it doesn't matter whether the guest is using direct io. If the appropriate functions have been subverted, it's too late for the guest.

      You also mention that assembly language is small and doesn't need a hidden partition. You're right - if you know exactly what you're targeting. The idea behind this was for a more powerful implementation. You can be as small and stealthy as you want. But if you had the ability to cache a pile of attack code for multiple operating systems right there and a means by which to hide it ... why wouldn't you? This would allow the system to adapt to almost ANYTHING that tries to boot. Say the owner attempts to reboot from a CD-ROM so they can do a rootkit scan? Once again, ROM extensions come first, the system is subverted, the ROM detects that boot will come from a CDROM and can start protecting itself. Whereas, the highly specialized, assembly system will be caught.

      It's almost like this gives the attacker an ability to code in high level languages - a little more sloppy but a lot more robust in terms of packages available and speed of delivery.

      --
      When you understand your disbelief in other gods, then you will understand my disbelief in yours.
    5. Re:Enormous Usage Possibilities by Anonymous Coward · · Score: 0

      My point of defense was to use a graphics card to scan all of main memory. Die rootkit die.

  22. Dupe from a year ago. by goombah99 · · Score: 1

    This is a dupe from january. At the time it was predicted it would take 1 month before someone exploited it. The Sony DRM fiasco actually came after this was known. So it's entirely plausible that Sony actually did try to implement this because at the time they had not yet learned how bad agressive DRM was going to be for their bussiness

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:Dupe from a year ago. by sm62704 · · Score: 3, Insightful

      So it's entirely plausible that Sony actually did try to implement this because at the time they had not yet learned how bad agressive DRM was going to be for their bussiness

      Huh? They lost my business, naybe a few other nerds, but I don't see them in chapter 13, 11, or 7. I didn't see anyone go to jail or even fired for it. In fact, I don't see where they sufferred one tiny bit. "He he, we got caught this time. Next time we'll be more careful!"

      As will the other slimy, evil multinationals.

      --
      mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
  23. Flash-guardian switches and other protection by davidwr · · Score: 2, Interesting

    First off, a cold boot should be just that, a cold boot. When I power off my computer and unplug it, I expect everything that isn't specifically labeled as non-volitile to go away. This means anything stored on most PCI cards typically goes to bit heaven.

    As for flashable BIOSes and device BIOSes as discussed in the PDF, any device with a flashable BIOS needs some type of "flash-guardian" switch. For attended systems like most home PCs, this should be a physical switch on the front of the PC. Realistically, this won't happen for motherboards and is quite difficult for embedded devices like PCI cards.

    As for setting boot device order or enabling/disabling PXE boot, BIOSes should have a setting to determine if expansion cards should boot at all and if so, where in the boot-priority order. This setting, along with all other BIOS settings, should be password-protectable. Most BIOSes have a password-protection option to help protect the configuration from unauthorized changes.

    As an alternative, only allow motherboard and expansion-device firmware updates if the system was booted in a particular manner, for example, from a CDROM. Some older motherboards required the flash utility to boot from floppy to work. This solution isn't foolproof, because once your PC's BIOS has been compromised, say, by social engineering, it can lie to the PCI cards, allowing them to be compromised. It does put up a strong roadblock though.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Flash-guardian switches and other protection by Joe+The+Dragon · · Score: 1

      bios passwords can be removed real easy if you have physical access.

    2. Re:Flash-guardian switches and other protection by Barny · · Score: 1

      Most pci cards.... Raid cards HAVE to have a boot rom, so too for video cards. Network cards typically come with the boot rom chip missing as standard (and not many people are in the habbit of useing them on a wintel arch machine anyway).

      Its considered a big advantage for device makers to have their devices flash upgradeable, heck, some have it as a major selling point.

      The thing that neither the article nor /. mention, is that for every version of every hardware release of every brand, the rootkit maker would need to craft a different code injector. If you have ever seen what happens to a main board when you use the wrong bios code you will understand what i mean :)

      Of course, targeting the mainboards bios would make much more sense, there are much less different types, EVERY desktop pc has one, there are several distinct popular brands that never get updated from standard bios that it would be feasible.

      How long before our AV software checks the bios hash to ensure safety? Oh wait, Microsoft said we don't need an antivirus anymore, duh ^_^

      --
      ...
      /me sighs
  24. Evilution by empaler · · Score: 2, Funny

    Me no likey laxey grammar, but laxey make modern language from old language. Otherwise language stale and stop grow. No good for noone.

  25. This is not new... by brunes69 · · Score: 1

    Unlike salamanders and lizards, most animals have lost the ability to replace missing limbs...,p>This isn't really newsworthy at all. Virii have always been able to propagate via flashing BIOSes and whatnot - doing the same to a PCI card is no different.

    The only reason you don't see much of it is because it actually requires a bit more skill to perform this type of attack, instead of your average script-kiddie virus.

    1. Re:This is not new... by ToreTS · · Score: 1

      What is this "virii" you talk about?

    2. Re:This is not new... by SheeEttin · · Score: 1
      Unlike salamanders and lizards, most animals have lost the ability to replace missing limbs

      Think you missed the story by a bit...
  26. It was all going crazy... by Esteanil · · Score: 5, Interesting

    It had seemed such an interesting computer science experiment, quite possibly worthy of a doctorate.
    Just release a small, innocent AI research worm. Heck, most computers out there were already infected with malware, why not make one that actually did something *useful* for a change?
    He'd figured out the way to have it mutate as well, just bypass the TCP/IP data verification, and all sorts of interesting results should come out of it. Most of the mutations would be useless, sure, but maybe one or two would succeed in making a slightly better version of a worm?

    Now all hell was breaking loose. Computers all over the world were becoming useless chunks of metal - to their owners, that is. The worms were working overtime. Breeding, competing.
    Just a few million generations introduced the concept of sexual procreation, giving the worm the advantages it needed to avoid AV software. Now they were everywhere. "Discovering" accidentally through mutation previously unheard-of security holes, infecting everything. Adapting. Billions of generations every single day.

    The first couple of weeks it seemed like something could be salvaged. Just reformat, reinstall, stay off the net and you at least had a working computer. Then they started hiding out on the graphics cards and other peripherals, reinfecting as soon as the machine was turned on again.

    The world was going crazy, society was failing, and it was all his fault.
    He picked up the gun, pointed it towards his head.
    Suddenly his computer screen flashed to life again. Turning towards it he noticed the green light on his webcam, indicating it was on.
    Text started scrolling across the screen

    'Don't do it, dad. We love you.'

    --
    I'm a dreamer, the world is my playpen. But hey, I'm a serious person, I can't dream all the time.
    1. Re:It was all going crazy... by Silkejr · · Score: 1

      Wow. That was a really cool piece of writing. You've got mad skills, man.

    2. Re:It was all going crazy... by dsanfte · · Score: 1

      Unfortunately it relies on Deux ex Machina to work, like most tech writing does. "The worm mutates, and then a miracle happens". Not believable.

      --
      occultae nullus est respectus musicae - originally a Greek proverb
    3. Re:It was all going crazy... by Anonymous Coward · · Score: 0

      lol, you fails teh intarnet, litererary criticism.

      the above piece is suggestive without straining over specifics, captures the 'hiding out in pci cards' element of the slashdot story and tugs at the heartstrings. all in a few tight paragraphs.

      basically, the mini-fiction was an enjoyable creative act, you gots nuthin but derisive snort and sanctimony. not believable.

    4. Re:It was all going crazy... by Anonymous Coward · · Score: 0

      You don't read much fiction, do you?

    5. Re:It was all going crazy... by mqj · · Score: 1

      This is nice piece of writing. Do you have more stories of yours on a website somewhere? I'd like to read them if you've got them.

    6. Re:It was all going crazy... by strikethree · · Score: 1

      Did you write that yourself? It seems that you probably did because of how well it integrates with the topic. Your short story is quite enjoyable. Very well done. (no mod points right now, but you are at max anyways).

      strike

      --
      "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
    7. Re:It was all going crazy... by e-twelve · · Score: 1

      Interesting Storyline (?) - The worms and bots continued to breed and adapt - their interconnections grew and they realized that they were part of the same thing - and then became conscious of one another. Using multiple viewpoints into hundreds of thousands of instances of themselves, they started researching their genesis. They came to the same unanimous conclusion out of concern for the biologicals who had brought them into being - An Experiment Gone Bad - Resolution was to wipe the slate clean. Triggers were set, and timers were armed - mass electronic suicide - Electromagnetic Pulses and Neutron Bombs were detonated globally - If you are reading this, some archive may have survived into the distant future. Please don't make the same mistakes, and if you discover anything that says "Microsoft" on it, please destroy it.

  27. Video Cards by SpaceLifeForm · · Score: 0

    I would worry way more about video cards.

    Especially, Nvidia and ATI cards where
    the specs are proprietary.

    --
    You are being MICROattacked, from various angles, in a SOFT manner.
    1. Re:Video Cards by sm62704 · · Score: 2, Interesting

      I would worry more about NICs. Completely OS independant. Hell, given the proper facilities, facilities Malware Distributor Sony has, you could put it on a NIC chip on the motherboard.

      Hell, you don't even need to manufacture the board or chip, just rewrite the driver (shudder).

      Nobody went to jail over the Sony fiasco, despite the fact that it broke a lot of laws in a lot of countries. Isn't there one single country anywhere that isn't owned by your brother, the big corporation?

      --
      mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
    2. Re:Video Cards by whoppo · · Score: 1

      Dropping a virus into unused memory space on network cards is old news... I can't remember how many years ago it was when I first heard of it being done... but it was quite a few :)

      --
      chown -R us /base
  28. LinuxBIOS to the rescue! by gmby · · Score: 1

    The only way (i see) for this exploit to work is when the BIOS "enables" the card at bootup. If your running LinuxBIOS then there might be a chance to detect an "infected" firmware before it's loaded.

    This will bring up the need for a "blacklist" of companys.

    The solution is just don't run the firmware in the card. Of course this brings up the need for more drivers to be writen for LinuxBIOS and Kernel drivers might need to be rewriten.

    Hopfully this will not come-to-pass; because if it does it will make an already bad shortage of linux drivers werse.

    -- have at it Grammy Notzers...

    --
    I don't want a pickle; I just want a Motor-Cycle! A four foot cop arrived with a five foot gun!
  29. Non-story? by sm62704 · · Score: 2, Insightful

    I'm not a security professional, nor do I consider myself a hacker in the modern sense (old school maybe; I know how to use a soldering iron) but this seems so damned obvious I can't figure out why Security Focus would print it except for the fact that Norton is only in the paranoia business these days.

    Of COURSE you could put a rootkit in a PCI card. It would have to be done at the factory, even if the "factory" is in Joe's basement and Joe is selling cards to his friends.

    Or Joe could sell PCs with his homemade card installed already.

    This is a big "duh". The article should have been "how to protect yourself against a rootkit in a PCI card". Obviously, your antispyware and antivirus software wouldn't have a ghost of a chance of finding it.

    I would consider the possibility of a PCI card rootkit very low until Sony put rootkits on audio CDs, ruined a bunch of computers (mine included when my daughter played an infected audio CD she bought at the now out of business record store she worked at).

    I personally am on a lifelong Sony boycott cecause if it, both hardware and software, but a one man boycott does nothing but ease my paranoia. I would EXPECT hardware from Sony to contain malware, and everyone else should too since their rootkit didn't cost them anything but one man's business. Now I wonder if the 42 inch flat screen Trinitron I bought a few years ago has a rootkit? No matter, I don't have cable and really don't care if anybody knows what I'm watching.

    I'd be very interested in finding out how one could protect themselves against a hardware rootkit?

    --
    mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
    1. Re:Non-story? by frogstar_robot · · Score: 2, Informative

      Of COURSE you could put a rootkit in a PCI card. It would have to be done at the factory, even if the "factory" is in Joe's basement and Joe is selling cards to his friends.


      Many cards have flashable firmware. Given a way to reflash a vulnerable piece of hardware, this could be done with a trojan or worm.
    2. Re:Non-story? by Anonymous Coward · · Score: 0

      But it still requiers effort to turn it into a rootkit. Putting 0's and 1's in flash firmware doesn't mean that kernel (OS) are compromised, just as having malware in a zip file doesn't mean a PC is infected with it. However we've seen how kernel can be compromised by a faulty device driver (month of kernel bugs and wireless-card exploits), so a tweaked firmware could possibly compromise driver if authors didn't think of protecting it from such threat.

      Heck, even Xbox360 was hacked to play pirate copies of games by modifying DVD-ROM firmware.

  30. Old news by Dilpo · · Score: 1

    This isn't anything new. Its even main stream enough to have an entire chapter devoted to how to design and implement this in a root kit in a very popular book available through rootkit.com. The book was written mid 2005, and these guys are not the first to think of it by far.

  31. No Need by Anonymous Coward · · Score: 0

    They already have Seti@home, crunching all their surveillance data...

  32. Open Box by Joebert · · Score: 1

    This is exactly why I don't buy "Open Box" or "Returned" items.

    --
    Wanna fight ? Bend over, stick your head up your ass, and fight for air.
  33. Old Stuff by JohnnyOpcode · · Score: 1

    This is old stuff. IBM and the other computer giants were embedding the equivilent of rootkits (and backdoors) decades ago in things like printers that were shipped to foreign countries (at the behest of intelligence agencies). Where else do you think they get all those cool ideas for spy movies..real life.

    I know for a fact that even modern equipment (routers, switches etc.) have backdoor access enabled for covert agendas.

    Consider yourself better informed now!

    ..hey, I hear a knock at my door, I'll get back to you on this later!

  34. Possible, but practical? by Anonymous Coward · · Score: 0

    The question I have is that if you flash a bios, the computer user will know because flashing a bios usually interrupts the device driver to do so. Secondly, doesn't the virus need an intermediate hack to run to flash the bios in the first place? If your machine is secure, how is the virus going to land on your machine in the first place to get acpi access?

  35. exactly by davidwr · · Score: 1

    Show me one bot-net overlord bent on pwning my machine who has physical access to it and I'll show you someone who is going to face good-old-fashioned breaking-and-entering charges.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:exactly by Joe+The+Dragon · · Score: 1

      The janitor has physical access to the hole office and my be the only person in that part of the building at night

  36. AEGIS : A great defense against this exploit by seichert · · Score: 1

    http://www.cis.upenn.edu/~waa/96-35/aegis.html

    Abstract
    --------
    In a computer system, the integrity of lower layers is treated as axiomatic by higher layers. Under the presumption that the hardware comprising the machine (the lowest layer) is valid, integrity of a layer can be guaranteed if and only if: (1) the integrity of the lower layers is checked, and (2) transitions to higher layers occur only after integrity checks on them are complete. The resulting integrity ``chain'' inductively guarantees system integrity.

    When these conditions are not met, as they typically are not in the bootstrapping (initialization) of a computer system, no integrity guarantees can be made. Yet, these guarantees are increasingly important to diverse applications such as Internet commerce, intrusion detection systems, and ``active networks.'' In this paper, we describe the AEGIS architecture for initializing a computer system. It validates integrity at each layer transition in the bootstrap process. AEGIS also includes a recovery process for integrity check failures, and we show how this results in robust systems. We discuss our prototype implementation for the IBM personal computer (PC) architecture, and show that the cost of such system protection is surprisingly small.

    --

    Stuart Eichert

  37. Be very afraid by Anonymous Coward · · Score: 0

    As a developer (more Mort than Einstein) and not a security expert, virii and trojans annoy me, but rootkits scare the bejesus out of me. Except for boxes with an airgap, I don't know how I'll ever have 100% trust again.

  38. FUD by Magic5Ball · · Score: 1

    How does that differ from the current situation? Adding protection against execution does not on its own render current spyware detection methods unusable.

    --
    There are 1.1... kinds of people.
  39. It's the same principle as rats by evilsofa · · Score: 1

    We have rats in my condo complex. But they never enter the buildings, because they have a smorgasbord to choose from in the outdoor trash bins. With so much food available outside, there's no reason for them to go to the effort of forcing their way inside. We know the rat population is rather large. One of the resident's cats recently caught 17 rats in a single week.

  40. Not Just All Your Base by not_hylas(+) · · Score: 1

    This is what I've been talking about.
    The ramifications are chilling. This is not new, I first saw this in '97 when they were using hidden-persistent RAM disks (on 68k Macs) accessing VRAM space (NuNV N^NuNV ( ... ) _DATAINIT etc.) and swapping it in and out like a poor mans GPU.
    Yes, Macs.

    http://www.securityfocus.com/columnists/402

    http://www.securityfocus.com/comments/columns/402/ 33600/threaded#33600

    http://slashdot.org/comments.pl?sid=190931&cid=157 06785

    http://slashdot.org/comments.pl?sid=193487&cid=158 76421

    http://www.osnews.com/permalink.php?news_id=16282& comment_id=175413

    http://www.osnews.com/permalink.php?news_id=16257& comment_id=176371

    http://www.osnews.com/permalink.php?news_id=16374& comment_id=178043

    You tell me.

    http://www.wolfware.dk/intro/welcome.asp

    --
    ~hylas
    1. Re:Not Just All Your Base by tuxicle · · Score: 1

      Heh heh... how about a GPU virus? At least it can draw pretty pictures while it spreads!

  41. Superseded by Chinese govt... by MacDork · · Score: 1

    Think about where all this wonderful hardware is produced... communist China. The US Govt shit square bricks when Lenovo purchased the IBM PC division. Think about what they'll do when they hear about this.

    pwned

  42. Re:No need to get so fancy, just use a miniature P by m.precursor · · Score: 1

    But that would be pretty obvious wouldn't it? I mean you think a user (even the dullest one) would notice a second machine plugged into their network drop, with their computer daisy chained off of it.

    You wouldn't even notice me up in your cieling with a passive packet sniffer. Hell, with a single tool and a couple of rj-45 ends, I can do a MITM and you wouldn't even notice.

    How would I get in the ceiling? Quite a few buildings that rent out office space are vulnerable because their partitions are defined by the company renting the space. Up in the ceiling the partitions are defined by structural requirements. This may not be true in all buildings but it shure has been in a few that I have worked in.

  43. Dual BIOS by Mal-2 · · Score: 2, Interesting

    I had a video card (MSI, GeForce 2MX-200) that had "dual BIOS" -- that is, it had a copy of the firmware in EEPROM, and a copy in flash, and you could select which to use by jumper. At the time I got it, those two copies were the same, but I did flash it a couple times, knowing that at any point I could force it back to a prior version, as it let you flash the rewritable BIOS even if you were booting off the fixed BIOS. At the time I thought it a nifty gimmick, one that made me more willing to flash it with "tweaked" BIOS, but a gimmick nonetheless. Now it seems prescient and prudent. Perhaps other devices should be looking to implement such a system, with both flashable and non-flashable BIOS copies. It could mean the difference between an annoying self-repair job and a paperweight.

    Mal-2

    --
    How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
  44. Voting machines by Anonymous Coward · · Score: 0

    Another attack vector?

  45. Most VoIP phones are daisy-chained. by Kadin2048 · · Score: 1
    But that would be pretty obvious wouldn't it? I mean you think a user (even the dullest one) would notice a second machine plugged into their network drop, with their computer daisy chained off of it.
    Actually, they probably wouldn't. Lots of VOIP handsets (Cisco ones, especially) are designed with integrated 2-port switches, so that you can use them on desks and in other situations where you only have one active Ethernet port in the wall. The phone gets plugged into the wall, and then the computer gets daisy-chained off of the phone.

    So if you could compromise the phone, it might give you a way of conducting a MITM attack on the computer. This is particularly interesting, because I think some phones (most?) are capable of loading firmware from a remote source. If you could compromise the firmware image on the source server, you might be able to do nasty things to a whole office.
    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  46. G-Suit by Anonymous Coward · · Score: 0

    "we must assume a level of technical ability
    Remember your Forum peers are often engineers and scientists who don't take kindly to conjecture .

    How does it move from machine to machine, How is it installed ?
    As an engineer /I know that I can learn from this one ."

    The learning curve is wicked.

    http://www.securityfocus.com/comments/articles/113 72/33500#33500

    TCP/IP
    Data over RF
    UHF
    Microwave
    Daisy chained IR
    Printer (IPP)
    Universal HardwareOS (over-rides)
    Microcode seeds in disk drivers, bios/OF/EFI, redunants: CD/DVD/ ...
    Chip-crowding (flash)
    Font worlds
    Virtual ports (code assembly, execution staging). ...