Slashdot Mirror
Rootkit Could Hide In PCI Cards
Reverse Gear writes "SecurityFocus has an interesting article about a paper published on the possibility of hiding a rootkit in different PCI cards and having the rootkit survive a reboot or cleansing of the hard disk. It seems though that the author of the article doesn't think this would be abused frequently.
From the article and paper: '(Because) enough people do not regularly apply security patches to Windows and do not run anti-virus software, there is little immediate need for malware authors to turn to these techniques as a means of deeper compromise.'"
Useless... if you own the box, you can bypass the driver and program the card's firmware by yourself. It's the card the should do some kind of check on the code which gets uploaded. Been there, done that.
From RiskBloggers.com:
Miniature Computers That Can Break Your Network Wide Open
One aspect of information security that is often under looked is physical security. While attention is often paid to secure areas containing servers, network equipment and telecommunication gear not as much attention has been paid to the fringes of the network. Although some security standards such as 802.1x and various network access control (NAC) products exist that can be used to address the network fringe they all contain one major weakness.
Assuming a network has implemented end to end security in the form of 802.1x or a network access control (NAC) solution they all make one major assumption: that a man in the middle attack can't be executed once the end point has authenticated. For example 802.1x addresses this directly, if the network port detects that the connection is dropped it requires the end point to re-authenticate before it's allowed to have network access again. If the network hasn't implemented such a scheme then it becomes trivial to execute a man in the middle attack by physically inserting another computer in between the network equipment and the end machine.
But that would be pretty obvious wouldn't it? I mean you think a user (even the dullest one) would notice a second machine plugged into their network drop, with their computer daisy chained off of it.
Maybe. Maybe not.
Read More
This is indeed interesting. However, it is kind of inline with the nature of software.
Wherever there's software, there's always a chance that some form of malware could be written for it.
The chances could be from
1) Installation by unsuspecting users
2) Malware code inserted in the many many lines of non-malware code
It is very hard to really lockdown software unless it's a computing device not connected online and left to sit in the corner of the room and
no one installs any other software on it.
Whenever someone goes on about `trust` and computers, show them this:
http://cm.bell-labs.com/who/ken/trust.html
(Some people attempt to continue babbling, talking of new detection techniques, and expensive hardware, but you'll have done your bit.)
Because lots of expansion cards have BIOS's option ROM's http://en.wikipedia.org/wiki/BIOS#Firmware_on_adap ter_cards
Most noticable are video cards which *all* have one, most RAID cards, all bootable SCSI cards, and many network cards. All option ROMS are enumerated automatically by the BIOS at boot time and if present run.
Of COURSE you could put a rootkit in a PCI card. It would have to be done at the factory, even if the "factory" is in Joe's basement and Joe is selling cards to his friends.
Many cards have flashable firmware. Given a way to reflash a vulnerable piece of hardware, this could be done with a trojan or worm.