Re: Rootkit Detection - No Worries

[Matt Hargett <matt () use net>]

Nicolas RUFF wrote:
> > Now, rootkits aren't really my thing, so feel free to point and laugh
> > - but I seem to recall there being discussion during Greg Hoglund and
> > Jamie Butler's rootkit training course at Blackhat last year re:
> > infecting hardware (or, more to the point flashable firmware type
> > stuff) such that malicious code could survive warm reboots, cold
> > reboots and even hard drive reformatting/replacement. I've heard some
> > other random discussions and anecdotal evidence to suggest that this
> > might be possible. 
> >
> > Sadly, I have neither the spare time, nor the hands-on
> > hardware/firmware experience to know just how realistic a scenario
> > this is. Is anyone on-list looking in detail at this sort of stuff?
> > Is it realistic, or more science-fiction based? I, for one, would
> > love to know. :-)

The firmware burnout idea is one that I had at Cenzic, applied to doing 
a million+ writes to a motherboard's flash BIOS to require physical 
replacement of the motherboard. I think it made it into Greg's book. The 
persistent code idea you mention becomes more of a reality with these 
hybrid hard drives that have a regular winchester-based drive in 
addition to a small flash drive. I forget the marketing term for this 
technology, but it seems like overwriting the protected OS files on the 
built-in flash drive from a low-level driver should be possible.


> Since I am curious, I had a look at the running software : it appears
> that it is some kind of embedded RTOS Linux for MIPS processor, with an
> old kernel, many services enabled, and a trivial 'root' password (4
> digits). In the first firmware versions, the telnet port (who said SSH
> ?) was accessible from the Internet.

Series 1 TiVo DVRs and Linksys "routers" are similar -- old Linux 
running on MIPS. (Or, in the case of WebTV based things including some 
kiosks, Windows CE running on MIPS.) While I haven't see anything as 
egregious as an open telnet port with a trivially guessable root 
password, there are definite security issues across the board in this 
space. Many people are looking at embedded ARM software, but so far I've 
found that just looking at MIPS-based stuff yields a veritable 
cornucopia of exploitable code. (All found using Logiscan 2.0, plug plug.)

Anyone know where I can get some firmware from SCADA equipment? ;>


> Now let's just imagine that some kind of virus, knowing the 'root'
> password, uploads a kernel module, changes the 'root' password, and
> disable automatic updates ... You have just built a 500,000+ members
> botnet, and most of the end users would never notice anything (antivirus
> software on a cable modem ?). BTW, the only fix would be to remove the
> CF card inside and reflash it with a brand new firwmare, requiring
> physical maintenance from the operator.

I love stuff like this because you can hear an analyst somewhere cumming
in their pants when they realise they get to come up with a really big 
dollar amount to try and guess how much it would cost to remediate such 
an issue.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave