Dailydave mailing list archives
Re: Rootkit Detection - No Worries
From: Nicolas RUFF <nruff () security-labs org>
Date: Tue, 05 Jul 2005 08:21:16 +0200
Now, rootkits aren't really my thing, so feel free to point and laugh - but I seem to recall there being discussion during Greg Hoglund and Jamie Butler's rootkit training course at Blackhat last year re: infecting hardware (or, more to the point flashable firmware type stuff) such that malicious code could survive warm reboots, cold reboots and even hard drive reformatting/replacement. I've heard some other random discussions and anecdotal evidence to suggest that this might be possible. Sadly, I have neither the spare time, nor the hands-on hardware/firmware experience to know just how realistic a scenario this is. Is anyone on-list looking in detail at this sort of stuff? Is it realistic, or more science-fiction based? I, for one, would love to know. :-)
Talking about hardware rootkits, I would like to mention that I was recently given a "top set box" by my ISP. I am required to use this piece of hardware to access extended services over the ADSL connection, such as pay-per-view digital TV and free phone comms. Since I am curious, I had a look at the running software : it appears that it is some kind of embedded RTOS Linux for MIPS processor, with an old kernel, many services enabled, and a trivial 'root' password (4 digits). In the first firmware versions, the telnet port (who said SSH ?) was accessible from the Internet. Now let's just imagine that some kind of virus, knowing the 'root' password, uploads a kernel module, changes the 'root' password, and disable automatic updates ... You have just built a 500,000+ members botnet, and most of the end users would never notice anything (antivirus software on a cable modem ?). BTW, the only fix would be to remove the CF card inside and reflash it with a brand new firwmare, requiring physical maintenance from the operator. Any thoughts ? -nicolas- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Rootkit Detection - No Worries Nicolas RUFF (Jul 04)
- Re: Rootkit Detection - No Worries John Morgan Salomon (Jul 05)
- Re: Rootkit Detection - No Worries Nicolas RUFF (Jul 05)
- Re: Rootkit Detection - No Worries Matt Hargett (Jul 05)
- Re: Rootkit Detection - No Worries John Morgan Salomon (Jul 05)