The enemy in the network card
Security expert Guillaume Delugré, who works for the Sogeti European Security Expertise Center (ESEC), has demonstrated that a rootkit doesn't necessarily have to infest a computer. The expert used freely available tools and documentation to develop custom firmware for Broadcom's NetExtreme network controller. He was then able to conceal a rootkit within the firmware, making it untraceable by the virus scanners usually installed on a PC.
Delugré's code is executed by the network card's MIPS CPU and can directly communicate with working memory through the PCI interface's Direct Memory Access (DMA) – network cards normally use this functionality to exchange network frames with the driver installed on the computer.
Potential attackers using such a rootkit could remotely access computers or listen to a user's network traffic. Broadcom's NetExtreme controller is mainly used in corporate environments. Network controllers for home users are usually equipped with little, if any, memory and offer limited programming flexibility, which makes them unlikely targets for such an attack.
The attack scenario isn't entirely new: in 2006, John Heasman injected a rootkit into the extended memory of graphics cards and network cards, although his rootkit needed to download code from the net once Windows had started up. Flash memory chips intended for the PC BIOS on a mother board are another potential rootkit hiding place.