Author Topic: Going beyond Kernel rootkits...  (Read 8412 times)

0 Members and 2 Guests are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Going beyond Kernel rootkits...
« on: January 27, 2006, 11:01:05 am »
... and moving to BIOS rootkits?  A BIOS rootkit would work for any OS, it would survive reboot, it would survive reinstallation, and it would even survive changing harddrives!  And, it would still have as much control as a normal rootkit has, possibly even more.  It's perfectly possible to do, and virus-scanners and rootkit-checkers don't check for it yet! 

Quote

In the cat-and-mouse game of computer security, rootkits are a powerful way to hide malicious code on a compromised computer where it is difficult to detect and remove.

As detection tools become more sophisticated, one researcher thinks that the BIOS may be the new frontier for rootkits.

“There are no tools now to audit your BIOS for a rootkit,” said John Heasman, principal security consultant for NGS Software Ltd. of the U.K. Heasman, speaking at the Black Hat Federal Briefings in Arlington, Va., described a proof of concept technique for placing a rootkit at such a low level on the computer’s system that it would survive reboots, reinstallation of operating systems and even replacement of the hard drive.


http://www.gcn.com/vol1_no1/daily-updates/38102-1.html

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Going beyond Kernel rootkits...
« Reply #1 on: January 27, 2006, 06:39:03 pm »
Would be hard to pull off I'd imagine.

Besides, if you could access the BIOS, why install a rootkit? Why not turn off fans and overclock the processor by a few hundred times (even if you can't) so that the CPU bursts into flames, costing the owner a few hundred (if not a thousand) bucks for a new processor.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Going beyond Kernel rootkits...
« Reply #2 on: January 27, 2006, 06:50:49 pm »
Would be hard to pull off I'd imagine.

Besides, if you could access the BIOS, why install a rootkit? Why not turn off fans and overclock the processor by a few hundred times (even if you can't) so that the CPU bursts into flames, costing the owner a few hundred (if not a thousand) bucks for a new processor.

More often than not, the primary purpose of hacking (especially if the target is not premeditated) is to obtain something from the target, not cause the target agony.  That's hard to do when your computer is a smoking pile of goo.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Going beyond Kernel rootkits...
« Reply #3 on: January 27, 2006, 07:32:06 pm »
So when people spread rootkits over AIM and such, the purpose is for specific stuff? I guess so, botnets are lovely. Just imagine your computer being a drone no matter what OS you are running. No matter how many times you reformat. :P
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline igimo1

  • Full Member
  • ***
  • Posts: 420
    • View Profile
Re: Going beyond Kernel rootkits...
« Reply #4 on: January 27, 2006, 07:33:12 pm »
Duh. Use EFI!

Offline Nate

  • Full Member
  • ***
  • Posts: 425
  • You all suck
    • View Profile
Re: Going beyond Kernel rootkits...
« Reply #5 on: January 27, 2006, 08:43:33 pm »
but then couldnt you just destroy it by resesting the CMOS jumpers or pulling the battery out?

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Going beyond Kernel rootkits...
« Reply #6 on: January 27, 2006, 08:46:29 pm »
So when people spread rootkits over AIM and such, the purpose is for specific stuff? I guess so, botnets are lovely. Just imagine your computer being a drone no matter what OS you are running. No matter how many times you reformat. :P
The main use for rootkits is to be able to re-gain access to the computer at a later date for some specific purpose, like Sidoh said.  Worms and trojans that spread over AIM and such usually aren't rootkits. 

but then couldnt you just destroy it by resesting the CMOS jumpers or pulling the battery out?
Yes, if you could figure out that that was the problem.  You could also just update the bios, I think that would do it too. 

Offline Eric

  • Full Member
  • ***
  • Posts: 304
  • I'm new here!
    • View Profile
Re: Going beyond Kernel rootkits...
« Reply #7 on: January 27, 2006, 09:18:58 pm »
So when people spread rootkits over AIM and such, the purpose is for specific stuff? I guess so, botnets are lovely. Just imagine your computer being a drone no matter what OS you are running. No matter how many times you reformat. :P
The main use for rootkits is to be able to re-gain access to the computer at a later date for some specific purpose, like Sidoh said.  Worms and trojans that spread over AIM and such usually aren't rootkits. 

but then couldnt you just destroy it by resesting the CMOS jumpers or pulling the battery out?
Yes, if you could figure out that that was the problem.  You could also just update the bios, I think that would do it too. 

Since the BIOS is stored on EPROM isn't it erased and reprogrammed every time a setting is changed as well?

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: Going beyond Kernel rootkits...
« Reply #8 on: January 27, 2006, 09:24:43 pm »
iirc yes.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Going beyond Kernel rootkits...
« Reply #9 on: January 27, 2006, 09:26:50 pm »
Yes, if you could figure out that that was the problem.  You could also just update the bios, I think that would do it too. 

Since the BIOS is stored on EPROM isn't it erased and reprogrammed every time a setting is changed as well?

That is what I think iago meant. :P
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Eric

  • Full Member
  • ***
  • Posts: 304
  • I'm new here!
    • View Profile
Re: Going beyond Kernel rootkits...
« Reply #10 on: January 27, 2006, 09:36:51 pm »
Yes, if you could figure out that that was the problem.  You could also just update the bios, I think that would do it too. 

Since the BIOS is stored on EPROM isn't it erased and reprogrammed every time a setting is changed as well?

That is what I think iago meant. :P

Well, I figured he meant updated as in the BIOS software being updated, or flashed.  If that's not what he meant then this would only be of great use on systems which rarely undergo hardware updates and have long-lasting CMOS batteries.  Either way, the 5 year old BIOS on the IBM machine that I'm currently using as a gateway monitors changes to the BIOS & MBR alerting me during POST if a change has been made so it's hard for me to believe that BIOS checking would be difficult for anti-virus software companies to impliment.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Going beyond Kernel rootkits...
« Reply #11 on: January 28, 2006, 03:34:43 am »
Hmm, if BIOS is stored on E2 then yeah, it would have to erase every time you changed a setting.  But you only have to erase E2 in sectors, not the whole thing.  Without knowing more about how it works, I have no idea if changing a setting would make a difference. 

But yeah, flashing it would definitely work. 

Offline zorm

  • Hero Member
  • *****
  • Posts: 591
    • View Profile
    • Zorm's Page
Re: Going beyond Kernel rootkits...
« Reply #12 on: January 29, 2006, 07:56:15 pm »
Hmm, if BIOS is stored on E2 then yeah, it would have to erase every time you changed a setting.  But you only have to erase E2 in sectors, not the whole thing.  Without knowing more about how it works, I have no idea if changing a setting would make a difference. 

But yeah, flashing it would definitely work. 

By the same token you'd have to flash the BIOS to get the "rootkit" in there anyhow? Otherwise every virus would take advantage of this. I'm lead to believe that site sucks and those people have absolutely no clue what they are talking about.
"Frustra fit per plura quod potest fieri per pauciora"
- William of Ockham

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: Going beyond Kernel rootkits...
« Reply #13 on: January 29, 2006, 09:30:13 pm »
Hmm, if BIOS is stored on E2 then yeah, it would have to erase every time you changed a setting.  But you only have to erase E2 in sectors, not the whole thing.  Without knowing more about how it works, I have no idea if changing a setting would make a difference. 

But yeah, flashing it would definitely work. 

By the same token you'd have to flash the BIOS to get the "rootkit" in there anyhow? Otherwise every virus would take advantage of this. I'm lead to believe that site sucks and those people have absolutely no clue what they are talking about.
Exactly what I was thinking.
And if you're stupid enough to download BIOS to flash from a website that's NOT your motherboard manufacturer's company, you suck at life and deserve the rootkit.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Going beyond Kernel rootkits...
« Reply #14 on: January 29, 2006, 10:48:45 pm »
Hmm, if BIOS is stored on E2 then yeah, it would have to erase every time you changed a setting.  But you only have to erase E2 in sectors, not the whole thing.  Without knowing more about how it works, I have no idea if changing a setting would make a difference. 

But yeah, flashing it would definitely work. 

By the same token you'd have to flash the BIOS to get the "rootkit" in there anyhow? Otherwise every virus would take advantage of this. I'm lead to believe that site sucks and those people have absolutely no clue what they are talking about.

It would be difficult,  no question there.  They aren't calling it a "frontier" because it's a simple problem, because it's not. 

And actually, with (normal) e2, you can write 0's, you just can't write 1's.  So maybe, just maybe, it would be possible to encode a virus in the pre-existing data.  Who knows?  But IF it was possible, it would be difficult but very rewarding.