Hiding a Rootkit In System Management Mode

← Back to Stories (view on slashdot.org)

Hiding a Rootkit In System Management Mode

Posted by kdawson on Sunday May 11, 2008 @10:57AM from the can-you-see-me-now dept.

Sniper223 notes a PC World article on a new kind of rootkit recently developed by researchers, which will be demoed at Black Hat in August. The rootkit runs in System Management Mode, a longtime feature of x86 architecture that allows for code to run in a locked part of memory. It is said to be harder to detect, potentially, than VM-based rootkits. The article notes that the technique is unlikely to lead to widespread expoitation: "Being divorced from the operating system makes the SMM rootkit stealthy, but it also means that hackers have to write this driver code expressly for the system they are attacking."

13 of 119 comments (clear)

Min score:

Reason:

Sort:

LiveCD by Anonymous Coward · 2008-05-11 11:20 · Score: 2, Interesting

With all the security issues that we hear so much about, I have decided that one potential way of avoiding most of them is to run a liveCD distro of whatever OS when working with sensitive data.
I do all my internet banking via freeBSIE now - yes it takes a veeeeery long time to boot, and I know that it doesn't solve ALL of the problems but it has to eliminate enouogh problems to be a viable solution.
Agree / disagree ?
Difficult in practice by Anonymous Coward · 2008-05-11 11:24 · Score: 5, Interesting

In theory, SMM is the ultimate rootkit hiding place. In practice, it's difficult to exploit on a wide scale. Getting the system to execute rootkit code in SMM isn't easy. You're going to need an exploitable BIOS bug, or the ability to reflash the ROM. Either is going to be very system-specific.
1. Re:Difficult in practice by moteyalpha · 2008-05-11 11:42 · Score: 4, Interesting
  
  This is one area where I have worked a bit and there is tremendous potential for abuse of VMM and SMM when you combine it with users that trust a company to deliver binaries. I will not use a binary program, unless I have the source and can verify it is legitimate. A bit of social engineering and the right picture and an uninformed user will be flashing their BIOS while they wait for the security update they think they are getting. If it is done right, this type of program can remain dormant and use no CPU time to give itself away, until it is keyed to act in something like a bot net or some other purpose.
Re:hmm by Anonymous Coward · 2008-05-11 11:25 · Score: 3, Interesting

Strongly suggest you spend some time learning about SMM. Hnt: the OS stops running while this takes place in the background - Norton wouldn't have a clue.
There could be something to this by lakeland · 2008-05-11 11:39 · Score: 3, Interesting

Lets say you are an evil terrorist hell-bent on infultrating the American military and wrecking havoc.

It seems to me that this would be exactly the sort of thing you'd look for. Military machines are specced very precisely, you'd know exactly what hardware was on the system so drivers wouldn't be much of an issue.

All you'd have to do is sneak your code in here once, and the timebomb would be ticking for when you want to activate it. Yeah, it wouldn't be easy to get it on there, but it means breaking through once allows you to lay a trap for another time. That sounds pretty serious to me.
1. Re:There could be something to this by PhireN · 2008-05-11 12:36 · Score: 2, Interesting
  
  Its true, I worked in a company involved in air traffic control over the summer, And the computers which they had to use were old Compaq servers from 1998, of a certain model, with exactly x ram.
  They were using eBay to track down replacements.
IPMI Card Vulnerabilities by landonf · 2008-05-11 11:52 · Score: 4, Interesting

What about vulnerabilities in onboard IPMI cards? Our new servers have ARM-based cards running Linux. The built-in HTTP server is vulnerable to a widely-known buffer overflow:
landonf@ahost:~> telnet XXX.XXX.XXX.XXX 80 Trying XXX.XXX.XXX.XXX... Connected to XXX.XXX.XXX.XXX. Escape character is '^]'. GET /x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/x/ HTTP/1.0 Connection closed by foreign host. landonf@timor:~> telnet XXX.XXX.XXX.XXX 80 Trying XXX.XXX.XXX.XXX... telnet: connect to address XXX.XXX.XXX.XXX: Connection refused
Seems like a recipe for compromised data centers, to me. Re-imaging a machine won't touch the IPMI card.

--
http://plausible.coop
Re:oooooh scary by Anonymous Coward · 2008-05-11 12:14 · Score: 1, Interesting

At last, someone who is familiar with the problem and the technology involved. Yes, SMM memory space is often locked by the BIOS and not subject to viewing by antivirus. Not that antivirus would know what code written to run in SMM looks like since it's not exactly a normal Windows or Linux binary.
How specific of a target? by rocketPack · 2008-05-11 12:18 · Score: 4, Interesting

TFS says the code must be specifically targeted to a particular machine which, on a PC, means a very big challenge.

On a Mac, however, you could easily target a very large number of people using only a very small number of hardware variations. Could this exploit be better suited to Macs than PCs? On the other hand, it also seems like it would be equally easier to detect the problem, since your algorithm can be fairly specific (both in terms of Macs and PCs), since the code needed to exploit would be rather specific.
Re:oooooh scary by Anonymous Coward · 2008-05-11 12:23 · Score: 4, Interesting

FWIW, an even easier vector for stuffing data into the SMM, and not as a BIOS payload (which will be very motherboard specific) is to chain it into the VGA BIOS (which most PCs have..). The VGA bios is nice because it's a very clean interface (as far as option roms go) for getting called and you can chain in the real VGA bios after doing whatever you see fit.

You can even have it trigger on the first BIOS calls of the windows bootloader so that you can easily overwrite the SMM memory regions in a nice and portable way.
General Software BIOS by Anonymous Coward · 2008-05-11 18:59 · Score: 1, Interesting

Have a look at General Software's Firmbase technology. They are using the SMM for lots of crazy stuff - a tiny OS is running in SMM mode. It is interacting with USB, network adapter, serial ports etc. It has a web server, telnet server, snmp server... It is possible to get a prompt on serial port to poke the hw registers, memory, cpu registers etc while the main OS is running and doesn't have a clue what's going on. This comes very handy when developing drivers for such systems, but if some evil bios engineer would add an exploit to SMM, nobody would figure out where to look for it.
Re:oooooh scary by cbrocious · 2008-05-12 01:16 · Score: 3, Interesting

ACPI is even easier and it's far more portable (that is, less specific to a given hardware configuration)

--
Disconnect and self-destruct, one bullet at a time.
Re:Invisible to anti-virus? by Opportunist · 2008-05-12 01:58 · Score: 2, Interesting

A signature can only catch what it knows. Now, it may match any variant of a known virus or at least a known exploit strategy, but it as well may not. Malware writers do check their creations against the most used AV kits. In a targeted attack, they usually even know what AV suit their target uses. So it is likely that at the time of launch, no relevant AV suit detects a certain trojan.

Malware writers ain't dumb. They know they are the offensive player in that game and they use that advantage.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.