Hiding a Rootkit In System Management Mode

Sniper223 notes a PC World article on a new kind of rootkit recently developed by researchers, which will be demoed at Black Hat in August. The rootkit runs in System Management Mode, a longtime feature of x86 architecture that allows for code to run in a locked part of memory. It is said to be harder to detect, potentially, than VM-based rootkits. The article notes that the technique is unlikely to lead to widespread expoitation: "Being divorced from the operating system makes the SMM rootkit stealthy, but it also means that hackers have to write this driver code expressly for the system they are attacking."

Re:oooooh scary

Oh boy, I love ridiculously overly dramatic BS! Yes it's very easy for it to hide there and for there to be basically no signs that it's there. OMG everyone run for the hills! Oh wait, malware doesn't just sit there, it does stuff. It runs threads, it reads from and writes files on the hard drive, and it has to at some point send some sort of data over the internet or local network. So yeah, no virus can hide and still cause damage and spread while remaining undetected.

Thanks for your argument stating that malware and viruses are not an important issue. Unfortunately we had to reject your submission because you are empirically wrong.

Also, nice strawman argument, but the article (or even the summary) didn't say that the malware would remain 100% undetected. It merely stated that this technique is more difficult to detect.

Re:hmm

[DigiShaman]

Isn't that like using a gun to prevent a cold? Yes I suppose it's effective, but still...

Sure, if put up to your head and pulled the trigger. I doubt that cold is still going to be an issue from there on.