Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hiding a Rootkit In System Management Mode

Posted by kdawson on from the can-you-see-me-now dept.

Sniper223 notes a PC World article on a new kind of rootkit recently developed by researchers, which will be demoed at Black Hat in August. The rootkit runs in System Management Mode, a longtime feature of x86 architecture that allows for code to run in a locked part of memory. It is said to be harder to detect, potentially, than VM-based rootkits. The article notes that the technique is unlikely to lead to widespread expoitation: "Being divorced from the operating system makes the SMM rootkit stealthy, but it also means that hackers have to write this driver code expressly for the system they are attacking."

7 of 119 comments (clear)

  1. Re:My BIOS has a toggle for virtualization feature by Anonymous Coward · · Score: 5, Informative

    Nope! This isn't using Virtualization mode.

  2. hmm by extirpater · · Score: 5, Funny

    i have norton, problem solved.

    1. Re:hmm by v1 · · Score: 5, Funny


      Isn't that like using a gun to prevent a cold? Yes I suppose it's effective, but still...

      --
      I work for the Department of Redundancy Department.
    2. Re:hmm by extirpater · · Score: 5, Funny

      Isn't that like using a gun to prevent a cold? Yes I suppose it's effective, but still... soldering gun is exactly for this
  3. Difficult in practice by Anonymous Coward · · Score: 5, Interesting

    In theory, SMM is the ultimate rootkit hiding place. In practice, it's difficult to exploit on a wide scale. Getting the system to execute rootkit code in SMM isn't easy. You're going to need an exploitable BIOS bug, or the ability to reflash the ROM. Either is going to be very system-specific.

  4. Re:LiveCD by Anonymous Coward · · Score: 5, Informative

    If the code runs in SMM and is launched from the BIOS a live CD doesn't avoid the problem.

  5. Re:oooooh scary by Anonymous Coward · · Score: 5, Informative

    Depending on the BIOS, the chipset itself can be configured to explicitly make it impossible for the OS's kernel to even read or write the specific memory range that it being used for SMM.

    The attack vector is made a lot easier because most BIOS vendors don't blockhole the address range as they need to support USB devices DMAing into the Aseg and Tseg segments (the memory ranges utilized by SMM). This is what you pay for to be able to use a USB keyboard in DOS. Legacy emulation so that all those ancient BIOS interrupt calls continue to work with your latest input devices..

    If there is a modern operating system running, there is a handoff between the OHCI driver and the SMM using a mailbox register on the usb controller so that the BIOS stops using the USB controller. What this means that modulo BIOS services that do things like control fans (and aren't implemented in ACPI), something could slip into SMM quite easily and flip the bit that makes it impossible for your antivirus to find it.