Hiding a Rootkit In System Management Mode

Sniper223 notes a PC World article on a new kind of rootkit recently developed by researchers, which will be demoed at Black Hat in August. The rootkit runs in System Management Mode, a longtime feature of x86 architecture that allows for code to run in a locked part of memory. It is said to be harder to detect, potentially, than VM-based rootkits. The article notes that the technique is unlikely to lead to widespread expoitation: "Being divorced from the operating system makes the SMM rootkit stealthy, but it also means that hackers have to write this driver code expressly for the system they are attacking."

hmm

[extirpater]

i have norton, problem solved.

Re:hmm

[v1]

Isn't that like using a gun to prevent a cold? Yes I suppose it's effective, but still...

Re:hmm

[extirpater]

Isn't that like using a gun to prevent a cold? Yes I suppose it's effective, but still... soldering gun is exactly for this

Re:hmm

[jotok]

Yes, but running Norton, he won't have any free RAM for the rootkit to be loaded into.

Re:Difficult in practice

[garett_spencley]

"You're going to need an exploitable BIOS bug, or the ability to reflash the ROM. Either is going to be very system-specific."

Exactly. Windows was written to solve this very problem. All this talk about hiding root kits in SMM is one giant leap backwards.

I'm Canadian, you insensitive clod!

[A+nonymous+Coward]

Science Museum of Manitoba, eh!

Re:oooooh scary

[j00r0m4nc3r]

All these new "unstoppable supervirus: we're all gonna die!" articles are idiotic and wrong.

That's exactly what the unstoppable supervirus wants you to think!