Re: Whitepaper: Implementing and Detecting a PCI Rootkit

[sinan.eren () immunitysec com]

I should also note that when you have a FPGA based solution, there is no 
ROM to be investigated for potential malware. You might still hope to 
detect the subversion in kernel space though, of course that is a bit 
naive, given that you don't know all the possible hooks one can place.

sinan

On Thu, 16 Nov 2006, Dave Aitel wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> That's really cool. One thing Immunity has been investigating is
> selling a literal hardware PCI card that you can install into
> someone's machine which then infects their system and injects a
> callback shellcode. That way if you break into someone's office, you
> can throw these PCI cards into a few desktops and then leave, and
> you'll get MOSDEF shells at home every day! Nothing to analyze on disk
> either. :>
>
> -dave
>
>
> John Heasman wrote:
> > Hi guys,
> >
> > I have released a paper entitled "Implementing and Detecting a PCI
> > Rootkit" which is available here:
> >
> >
> > http://www.ngssoftware.com/research/papers/Implementing_And_Detecting_A_PCI_Rootkit.pdf
> >
> >
> >
> >
> > I was originally planning to release this early in 2007 but due to
> > the recent publication of "BIOS Disassembly Ninjutsu Uncovered" by
> > Darmawan Salihun I have decided to publish now (please note, I have
> >  not yet seen the contents of this book).
> >
> >
> >
> > Abstract:
> >
> > "In February 2006, the author presented a means of persisting a
> > rootkit in the system BIOS via the Advanced Configuration and Power
> >  Interface (ACPI). It was demonstrated that the ACPI tables within
> > the BIOS could be modified to contain malicious ACPI Machine
> > Language (AML) instructions that interacted with system memory and
> > the I/O space, allowing the rootkit bootstrap code to overwrite
> > kernel code and data structures as a means of deployment.
> >
> >
> > Whilst using ACPI as a means of persisting a rootkit in the system
> > BIOS has numerous advantages for the rootkit writer over
> > "traditional" means of persistence (that include storing the
> > rootkit on disk and loading it as a device driver), there are
> > several technologies that are designed to mitigate this threat.
> > Both Intel SecureFlash and Phoenix TrustedCore motherboards prevent
> >  the system BIOS from being overwritten with unsigned updates.
> >
> >
> > This paper discusses means of persisting a rootkit on a PCI device
> > containing a flashable expansion ROM.  Previous work in the Trusted
> > Computing field has noted the feasibility of expansion ROM attacks
> > (which is in part the problem that this field has set out to
> > solve), however the practicalities of implementing such attacks has
> > not been discussed in detail.  Furthermore, there is little
> > knowledge of how to detect and prevent such attacks on systems that
> >  do not contain a Trusted Platform Module (TPM).  Whilst the
> > discussion mainly focuses on the Microsoft Windows platform, it
> > should be noted that the techniques are equally likely to apply to
> > other operating systems."
> >
> >
> >
> > Thanks
> >
> >
> > John
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
>
> iD8DBQFFXKzxB8JNm+PA+iURAuc0AKDACdosMW8+iLPFGffS85PJWlUi9ACbByh+
> 7vnHzJxPZ1JDzalLWpPDI5A=
> =I7xe
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave