Dailydave mailing list archives
Re: Whitepaper: Implementing and Detecting a PCI Rootkit
From: Dave Aitel <dave () immunityinc com>
Date: Fri, 17 Nov 2006 18:01:34 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yeps. Lots of cool stuff you can do by reflashing random PCI devices, bios's, etc. But our customers so far are asking for something physical they can install on a machine that integrates with CANVAS, which is why we went down that route instead. - -dave Peter Winter-Smith wrote:
Hey Dave(s) (and list)! I think one of the points that John was considering in his paper was the possibility that a remote attack of some nature could actively install one of these which would then persist through re-installs of the operatings system, rather than solely the physical access vector (under the 'Re-flashing a PCI Expansion ROM' section)! Very cool! -Peter ----- Original Message ----- From: "Dave Korn" <dave.korn () artimi com> To: "'Dave Aitel'" <dave () immunityinc com>; <dailydave () lists immunitysec com> Sent: Thursday, November 16, 2006 7:10 PM Subject: Re: [Dailydave] Whitepaper: Implementing and Detecting a PCI RootkitOn 16 November 2006 18:25, Dave Aitel wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That's really cool. One thing Immunity has been investigating is selling a literal hardware PCI card that you can install into someone's machine which then infects their system and injects a callback shellcode.Does this really have a lot of advantages over just plugging a U3 drive into a less-frequently used usb port round the back of the machine somewhere?That way if you break into someone's office, you can throw these PCI cards into a few desktops and then leave, and you'll get MOSDEF shells at home every day! Nothing to analyze on disk either. :>Wow, no forensics... except of course for your fingerprints and DNA all over the *physical* evidence you left at the scene of crime. Not really sure you're better off that way, I'd rather leave digits behind than anything else. cheers, DaveK -- Can't think of a witty .sigline today.... _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFFXj9MB8JNm+PA+iURAi1hAJwIyvZdkKMRrW37IiDv7W89zyeQdwCgi+Gy LtyzAvz9noRRXzv9pidblxA= =Bxfp -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Whitepaper: Implementing and Detecting a PCI Rootkit John Heasman (Nov 16)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Dave Aitel (Nov 16)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit sinan . eren (Nov 16)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Dan Moniz (Nov 16)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Dave Korn (Nov 16)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Peter Winter-Smith (Nov 17)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Dave Aitel (Nov 17)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit sinan . eren (Nov 16)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Paul Wouters (Nov 16)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Chris Wysopal (Nov 17)
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit Dave Aitel (Nov 16)
- <Possible follow-ups>
- Re: Whitepaper: Implementing and Detecting a PCI Rootkit sinan . eren (Nov 17)