[ISN] Hackers Find a New Place to Hide Rootkits

From: InfoSec News (alerts@private)
Date: Mon May 12 2008 - 01:24:33 PDT


By Robert McMillan
IDG News Service
May 09, 2008

Security researchers have developed a new type of malicious rootkit 
software that hides itself in an obscure part of a computer's 
microprocessor, hidden from current antivirus products.

Called a System Management Mode (SMM) rootkit, the software runs in a 
protected part of a computer's memory that can be locked and rendered 
invisible to the operating system, but which can give attackers a 
picture of what's happening in a computer's memory.

The SMM rootkit comes with keylogging and communications software and 
could be used to steal sensitive information from a victim's computer. 
It was built by Shawn Embleton and Sherri Sparks, who run an Oviedo, 
Florida, security company called Clear Hat Consulting.

The proof-of-concept software will be demonstrated publicly for the 
first time at the Black Hat security conference in Las Vegas this 

The rootkits used by cyber crooks today are sneaky programs designed to 
cover up their tracks while they run in order to avoid detection. 
Rootkits hit the mainstream in late 2005 when Sony BMG Music used 
rootkit techniques to hide its copy protection software. The music 
company was ultimately forced to recall millions of CDs amid the ensuing 

In recent years, however, researchers have been looking at ways to run 
rootkits outside of the operating system, where they are much harder to 
detect. For example, two years ago researcher Joanna Rutkowska 
introduced a rootkit called Blue Pill, which used AMD's chip-level 
virtualization technology to hide itself. She said the technology could 
eventually be used to create "100 percent undetectable malware."

"Rootkits are going more and more toward the hardware," said Sparks, who 
wrote another rootkit three years ago called Shadow Walker. "The deeper 
into the system you go, the more power you have and the harder it is to 
detect you."

Blue Pill took advantage of new virtualization technologies that are now 
being added to microprocessors, but the SMM rootkit uses a feature that 
has been around for much longer and can be found in many more machines. 
SMM dates back to Intel's 386 processors, where it was added as a way to 
help hardware vendors fix bugs in their products using software. The 
technology is also used to help manage the computer's power management, 
taking it into sleep mode, for example.

In many ways, an SMM rootkit, running in a locked part of memory, would 
be more difficult to detect than Blue Pill, said John Heasman, director 
of research with NGS Software, a security consulting firm. "An SMM 
rootkit has major ramifications for things like [antivirus software 
products]," he said. "They will be blind to it."

Researchers have suspected for several years that malicious software 
could be written to run in SMM. In 2006, researcher Loic Duflot 
demonstrated how SMM malware would work. "Duflot wrote a small SMM 
handler that compromised the security model of the OS," Embleton said. 
"We took the idea further by writing a more complex SMM handler that 
incorporated rootkit-like techniques."

In addition to a debugger, Sparks and Embleton had to write driver code 
in hard-to-use assembly language to make their rootkit work. "Debugging 
it was the hardest thing," Sparks said.

Being divorced from the operating system makes the SMM rootkit stealthy, 
but it also means that hackers have to write this driver code expressly 
for the system they are attacking.

"I don't see it as a widespread threat, because it's very 
hardware-dependent," Sparks said. "You would see this in a targeted 

But will it be 100 percent undetectable? Sparks says no. "I'm not saying 
it's undetectable, but I do think it would be difficult to detect." She 
and Embleton will talk more about detection techniques during their 
Black Hat session, she said.

Brand new rootkits don't come along every day, Heasman said. "It will be 
one of the most interesting, if not the most interesting, at Black Hat 
this year," he said.

Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon May 12 2008 - 01:41:06 PDT