back to article Researchers dig into x86 chips for stealthier rootkits

Security researchers have discovered a new technique for developing rootkits, malicious packages used to hide the presence of malware on compromised systems. Instead of hiding a rootkit in the virtualisation layer, Shawn Embleton and Sherri Sparks of Clear Hat Consulting have discovered an approach for smuggling rootkit …

COMMENTS

This topic is closed for new posts.
  1. Jon Double Nice

    Wouldn't Macs be the perfect target for this?

    They're on x86 chips aren't they? Plus you're guaranteed to have the same component bits and bobs in each box, so you need to write less drivers and what nots.

    How you get it installed is another matter though I guess.

  2. amanfromMars Silver badge
    Alien

    SMARTer Learner Chips .... 42 Rock IT to its Foundations and Forge Virtual FABs.

    "While keeping the rootkit well away from the operating system makes the malicious code more stealthy, it also introduces problems. Hackers would need to develop device specific driver code, a factor that makes attacks far more difficult. "I don't see it as a widespread threat, because it's very hardware-dependent," Sparks told PC World. "You would see this in a targeted attack.""

    However, such device specific driver code is a walk in the park/a walk on the wild side for programmers, for it's very software-dependent. This is not an attack/development at the operating system level, it is a much deeper and much smarter virtualised reprogramming of the OS right at and from the core processor unit levels....both CPU and GPU.

    What you have is Virtual Machine IntelAIgents rebooting Operating Systems to make use of Future Memory Compilations rather than being Dependent on or ControlLed by any Present or Past Memory Access.

    Now just slip this Post into a Memory Slot/Pigeon Hole somewhere, remember where you have Salted IT away and be patient and try to deny it as you see it happening around you.

    The Virtualisation Space is not a Real Space, IT is not even an AIReal Space, IT is a SurReal NeuReal Space where Shared BroadBands of Intellect MetaDataMorph to Replace the Hardware/Software Model with the Quantum Communications Universal Information/Pure Source Model ..... where the Word is Ace, King, Queen and Jack of All Trades. ........ which of course is why some Words are not Shared but Salted away Out of Sight to put them out of Minds.

    But the Truth will always Out the Fraud that replaces it, and with a Just Vengeance....... and who the Hell wants to Live as a Fraud.

    Ooops. ..... there's the Answer?

  3. MYOFB
    Coat

    "Sparks told PC World"

    PC World . . . PC Feckin WORLD !!!!!

    FFS, I thought you were writing a 'serious' article until that came up!!

    If these guys turn up at Blackhat with that on their CV then they will probably be laughed out of the place all the way back under the rock they thought was wise to crawl out from under!!

    BUT . . .

    If they have got something, WTF happened to 'responsible disclosure' ethics?

    /Sorry, I forgot, they never existed and even less so at Blackhat.

    If you zoom in close, mine's the one that says . . . GFY!!

    PS: Begins with 'Go' . . . ends with 'Yourself' . . . I'm sure you can all figure out the middle.

    TTFN While I go find someone who can repair my 12 inch long piece of dowel, which is painted black and is finished off with a couple of white ends but unfortunately has been snapped.

    HUZZAR!!

  4. TimM
    Joke

    Re: Wouldn't Macs be the perfect target for this?

    "How you get it installed is another matter though I guess."

    Just leave it to Sony. They'll find a way.

    Mind you, Mac users wouldn't stick in a Sony manufactured audio CD, they'd all be using iTunes downloads... apparently ;-)

  5. Anonymous Coward
    Boffin

    But...

    Doesn't this concept only work if something isn't already using SMM?

    And isn't SMM generally already in use on most boards?

    So although this concept exists, is there actually any way of using it?

  6. duncan parkertron

    re: MYOFB

    Are you on crack??

  7. Anonymous Coward
    Alert

    @MYOFB

    Ever thought that PC world in the UK is different to the highly respected industry rag in the rest of the world?

    try pcworld.com not pcworld.co.uk!

  8. Anonymous Coward
    Alert

    @Wouldn't Macs be the perfect target for this?

    Probably, but dont tell webster he'd have a field day! I imagine other standard setups would be candidates also, say dell et al?

    To be honest I'm more concerned about the other net boxes that will become bots before too long, eg generic routers xboxes etc... just imagine owning the BT homehubs... 1 million 24hr Broadband bots and not a single one has AV. Lets just hope BT dont use backdoors or Tech support access!

  9. Bjorn Danneman

    Not really news...

    First paper about abusing SMM that I'm aware of was published in 2006 by Loic Duflot, Daniel Etiemble, and Olivier Grumelard, and was called "Using CPU System Management Mode to Circumvent Operating System Security Functions". IIRC it was released sometime arounf CanSecWest 2006... And a fairly comprehensive article about it was released in the latest copy of Phrack, including a library to make building your own rootkit/rootshell easier...

  10. amanfromMars Silver badge

    @Not really news... Moles in the Management System?

    Bjorn,

    Things have moved on from abusing SMM to using SMM as an embedded third party, proxy accessible ....facility. QuITe sophisticated and a heck of a job to even realise the compromised position. Now that is a Real Astute Virtual Environment in which Information can play Havoc with DODgy Intelligence and Dirty Tricks but only to Improve IT and Direct it onto A.N.Other Path, which it may not necessarily Lead but rather Follow.

  11. MYOFB
    Coat

    @ duncan parkertron . . . First !!

    If "are you on crack" is your best response to my post, I suspect the opposite is more likely the truth . . .

    "Hey man, I can't get past what I'm smoking to . . . Hey man you must be doing the same thing!" . . . NOT!!

    Would rather you rip my post to pieces with a more reasoned response than what you posted . . . Go on, you know it makes sense.

    @AC

    "Ever thought that PC world in the UK is different to the highly respected industry rag in the rest of the world? try pcworld.com not pcworld.co.uk!"

    Don't patronise me on the difference, I know it already and did at the time of my post!

    What's puzzling me for the moment is, are you saying you're not from the UK?

    If that's the case then don't 'patroniZe' me . . . if you are from Blighty then I spelt it correctly the first time around!!

    To both of you . . .

    1. Neither of you responded in any way whatsoever regarding my comment on 'reasonable disclosure ethics'! Why?

    2. I was going to say, "I'm a seasoned professional" or "I'm the brightest and most capable new kid on the block" but neither comment fits the bill really . . . I either sound too old and past it or too young to know what is what!!

    What I will say, because I obviously like the sound of my own voice, is what's your stance on the Phorm issue??!!

    Mine went something like this . . . .

    @ Jimbo Gunn

    By MYOFBPosted Wednesday 9th April 2008 21:49 GMT

    1.) Who you are. (I thought I knew already, thanks for the offer)

    2.) The town you live in. (My village is a town?!)

    3.) The type or pron you like. (There are different kinds?)

    4.) Which banks you use. (I must be poor, I've only got one)

    5.) The newspapers you read and your political persuasion. (Dyslexia is a bitch!! Isn't that a euphemism for an MP getting into his/hers secretary's knickers/underpants?)

    6.) Your religious interests, if any. (I was under the impression that 'Religious Interests' and 'Political Persuasions' are one and the same thing. Please correct me if I am wrong. Or was that a euphemistic statement you made?)

    7.) The names of your best online friends. (Please tell, I haven't any in the real world!!)

    8.) Your best friends partners names. (My best friend has a Wife . . . you Sinner!)

    9.) If you have any pets. (That's too easy, I have about 6 billion and they all live at the top of the food chain, apart from you)

    10.) Everything you buy online. (Do you work for Phorm?!)

    11.) Your employer. (That would be ME!!)

    12.) Your next employer. (That would be BEELZEBUB!!)

    13.) Your proficiany in spelling. (Better than your proficiency in spelling!)

    14.) The state of your physical and mental health. (Deteriorating by the second due to my urge to categorise you in the Phuckwit Department)

    15.) If you're over weight. (You mean 'Overweight', correct?!! I am lighter by at least one space bar you obese git and then some!!)

    16.) What your foot size is. (12 inches . . . but my shoe size is a broad fit 9 or a medium 10 but that depends on the brand)

    I apologise if I come across as being derogatory of your post but I am more interested in what you can tell me, from my last 'month's web browsing history' about my alien abduction experience, the voices that talk to me in my head, Area 51 and the Roswell Incident.

    If you can shed some light on any of them, then you will have convinced me of 2 things . . .

    1. I'm still on the planet called Earth . . . and

    2. You are not!!!

    Thank you for taking time to complete our survey . . . we will send you a copy of the results as soon as they become available.

    / Mine's the one with the Anonymous Clown on the back and pockets full of Crack!!

This topic is closed for new posts.