Whitepaper: Implementing and Detecting a PCI Rootkit

[John Heasman <john () ngssoftware com>]

Hi guys,

I have released a paper entitled "Implementing and Detecting a PCI 
Rootkit" which is available here:


http://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdf


I was originally planning to release this early in 2007 but due to the 
recent publication of "BIOS Disassembly Ninjutsu Uncovered" by Darmawan 
Salihun I have decided to publish now (please note, I have not yet seen 
the contents of this book).



Abstract:

"In February 2006, the author presented a means of persisting a rootkit in 
the system BIOS via the Advanced Configuration and Power Interface (ACPI). 
It was demonstrated that the ACPI tables within the BIOS could be modified 
to contain malicious ACPI Machine Language (AML) instructions that 
interacted with system memory and the I/O space, allowing the rootkit 
bootstrap code to overwrite kernel code and data structures as a means of 
deployment.


Whilst using ACPI as a means of persisting a rootkit in the system BIOS 
has numerous advantages for the rootkit writer over "traditional" means of 
persistence (that include storing the rootkit on disk and loading it as a 
device driver), there are several technologies that are designed to 
mitigate this threat.  Both Intel SecureFlash and Phoenix TrustedCore 
motherboards prevent the system BIOS from being overwritten with unsigned 
updates.


This paper discusses means of persisting a rootkit on a PCI device 
containing a flashable expansion ROM.  Previous work in the Trusted 
Computing field has noted the feasibility of expansion ROM attacks (which 
is in part the problem that this field has set out to solve), however the 
practicalities of implementing such attacks has not been discussed in 
detail.  Furthermore, there is little knowledge of how to detect and 
prevent such attacks on systems that do not contain a Trusted Platform 
Module (TPM).  Whilst the discussion mainly focuses on the Microsoft 
Windows platform, it should be noted that the techniques are equally 
likely to apply to other operating systems."



Thanks


John

-- 
John Heasman
Director of Research
NGS Software Ltd


Tel    +44 (0) 208 401 0070
Fax    +44 (0) 208 401 0076
http://www.ngssoftware.com


The information contained in this email and any subsequent correspondence
is private, is solely for the intended recipient(s) and may contain
confidential or privileged information. For those other than the intended
recipient(s), any disclosure, copying, distribution, or any other action
taken, or omitted to be taken, in reliance on such information is
prohibited and may be unlawful. If you are not the intended recipient and
have received this message in error, please inform the sender and delete
this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission or
use of emails and attachments having left the NGS domain.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave