Hackers present new rootkit techniques
At upcoming security conferences, hackers are planning to present new rootkit techniques. Sebastian Muñiz of Core Security has developed a rootkit for Cisco routers and plans to present it at the EuSecWest Conference on May 21-22 in London. Sherri Sparks and Shawn Embleton of Clear Hat Consulting exploit a little known operational mode of Intel processors to hide injected code. They will be presenting the results of their work at Black Hat USA 08 on August 6-7 at the Caesars Palace Hotel and Casino in Las Vegas.
The rootkit developed by Sparks and Shawn uses the System Management Mode (SMM) of Intel processors to hide a key logger in memory. System Management Mode is intended to detect and react to system events such as chipset and memory flaws, to extend motherboard functionality and handle power and thermal management. SMM is implemented on all modern x86 and x64 processors, including those made by manufacturers such as AMD and Via.
The operating system cannot stop an SMM call. If the processor receives a non-maskable System Management Interrupt (SMI), it suspends execution of the operating system and application code, saves the machine state, and executes code from a hidden privileged region of memory. One of the hazards is that program code cannot access any OS drivers in SMM mode but must instead address hardware directly.
At the CanSecWest Conference 2006, Loic Duflot presented a paper (PDF) showing how superusers can escalate their privileges under OpenBSD by means of SMM. But to date, no working rootkit for SMM has been made public.
The rootkit for Cisco's IOS operating system developed by Sebastian Muñiz of Core Security Technologies allegedly runs on several OS versions. Attackers first have to get access to the machine they want to exploit, for example by exploiting a vulnerability and injecting code. The code is then stored in the firmware and therefore immediately executed when the device reboots. Apparently, Cisco routers can then be monitored and controlled without anyone noticing. Muñiz said he will not be publishing the source code for his rootkit.
Recently, the FBI found bootleg "Cisco" appliances and modules in critical infrastructure used by US authorities and the military, and voiced concerns that someone might be already using these devices for spying purposes. The rootkit developed by Muñiz could demonstrate that this danger is not merely theoretical, though Cisco could not find anything untoward in the devices confiscated by the FBI.
At Black Hat 2005, Michael Lynn discussed some vulnerabilities in Cisco routers that allow malicious code to be injected and executed. Cisco caused quite an uproar by trying to prevent Lynn from presenting, even to the point of pressing charges against him. Lawyer Jennifer Granick of the Electronic Freedom Foundation (EFF), who represented Lynn against Cisco, told US media that Cisco might also press charges against Muñiz for violating trade secrets, though she said she did not expect the firm to do so in light of the negative reactions in 2005. "Cisco thinks of itself as really researcher-friendly", she said. "I think they will be very careful before filing legal action."
- Security Researcher to release Cisco rootkit at EUSecWest, blog entry by Nathan McFeters
- A New Breed of Rootkit: The System Management Mode (SMM) Rootkit, announcement of presentation by Shawn Embleton and Sherri Sparks at BlackHat USA 08