Dailydave mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rootkit Detection - No Worries

From: Nicolas RUFF <nruff () security-labs org>
Date: Tue, 05 Jul 2005 08:21:16 +0200
Now, rootkits aren't really my thing, so feel free to point and laugh
- but I seem to recall there being discussion during Greg Hoglund and
Jamie Butler's rootkit training course at Blackhat last year re:
infecting hardware (or, more to the point flashable firmware type
stuff) such that malicious code could survive warm reboots, cold
reboots and even hard drive reformatting/replacement. I've heard some
other random discussions and anecdotal evidence to suggest that this
might be possible. 

Sadly, I have neither the spare time, nor the hands-on
hardware/firmware experience to know just how realistic a scenario
this is. Is anyone on-list looking in detail at this sort of stuff?
Is it realistic, or more science-fiction based? I, for one, would
love to know. :-)


Talking about hardware rootkits, I would like to mention that I was
recently given a "top set box" by my ISP. I am required to use this
piece of hardware to access extended services over the ADSL connection,
such as pay-per-view digital TV and free phone comms.

Since I am curious, I had a look at the running software : it appears
that it is some kind of embedded RTOS Linux for MIPS processor, with an
old kernel, many services enabled, and a trivial 'root' password (4
digits). In the first firmware versions, the telnet port (who said SSH
?) was accessible from the Internet.

Now let's just imagine that some kind of virus, knowing the 'root'
password, uploads a kernel module, changes the 'root' password, and
disable automatic updates ... You have just built a 500,000+ members
botnet, and most of the end users would never notice anything (antivirus
software on a cable modem ?). BTW, the only fix would be to remove the
CF card inside and reflash it with a brand new firwmare, requiring
physical maintenance from the operator.

Any thoughts ?
-nicolas-
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave
Previous By Date Next
Previous By Thread Next

Current thread: