PC hardware can pose rootkit threat

TalkBack 35 of 43:: Next »; « Previous

Thread View
Flat View

Although a remote attack would take MANY steps to achieve...: ...if it did, the computer would be an almost useless paperweight.

The attack would have to rely on a number of steps
1) Privelege escalation to LocalSystem*
2) Re-flash the device on-the-fly from within Windows*
3) Wait until a reboot
4) System BIOS will load the code in from the expansion ROMs
4) Get the code to survive real-mode to protected-mode switch
5) Use said code to modify key structures / files

Detection is now a nightmare:
Every devices firmware would need to be compared to a 'good', but if the rootkit was running at the time then this could alter the results of the comparison. A side-by-side comparison would seem the only way forward, maybe using another OS to boot into (providing the rk only looked for NT kernel locations, and not Linux 2.x ones as well).

The above is how I understand this attack would happen, researched from the [url=http://www.ngssoftware.com/research/papers/implementing_And_Detecting_A_PCI_Rootkit.pdf]NGSSoftware paper[/url] on rootkits of this nature. My knowledge of this is very basic, and I apologise for any errors in my interpretation.

*Why the hell does Windows allow IOPL to be raised to 3 anyway? I thought the whole point of NT's HAL (Hardware bloody ABSTRACTION LAYER) was to remove direct access ability to hardware...; Posted by: Scrat Posted on: 03/01/07 You are currently: a Guest | Members login | Terms of Use

Reply to Story Reply to Message

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

Scanning peripheral memory John L. Ries | 02/28/07

Heasmas is a big help for the BAD guys!! johnydii | 02/28/07

Bad Guys Already Know pj_mouse | 02/28/07

The bad guys hate Haesman because he's warning... Boomslang | 02/28/07

Scanning peripherial memory? mtien888@... | 02/28/07

HEY LOOK! Linux User 147560 | 02/28/07

It can, and does happen DJnRF | 02/28/07

Re: It can, and does happen. DJnRF | 02/28/07

Ummmmmm... jjarman | 02/28/07

Ummmmm DJnRF | 02/28/07

So, let me get this straight, you got a virus from a CD? Scrat | 03/01/07

So, let me get this straight DJnRF | 03/01/07

sorry to hear about your problems... jjarman | 03/02/07

My ignorance showing? archetuthus | 02/28/07

My corrective post. DJnRF | 02/28/07

I realy cant See what all the fuss is about rick200565@... | 02/28/07

pc='personal' computer inertman@... | 02/28/07

Sometimes being DarbyOhara | 02/28/07

Naive, Foolish, or Games? DataArchitect | 02/28/07

Who says this problem is only for invasion of personal data? DJnRF | 02/28/07

LLF impossible for 20 years now r_widell | 02/28/07

LLF impossible for 20 years now DJnRF | 03/01/07

no it is not bluescreen_z | 03/03/07

LLF can't be done by drive itself wolf_z | 03/30/07

LLF impossible for 20 years now r_widell | 04/08/07

Senseless RANT! DarbyOhara | 02/28/07

Most of us have EEPROM tools CodeCurmudgeon | 03/01/07

RE: I realy cant See what all the fuss is about texan46 | 03/01/07

Still not seeing an answer gretel111 | 02/28/07

Ok Here... EPROM 101 DarbyOhara | 02/28/07

What an insulting moron... BigThunder1 | 03/03/07

Hi Gretel... BigThunder1 | 03/03/07

I heard of Viruses infecting firmware Zolar | 02/28/07

CMOS memory scare, anyone? Martin.Taylor@... | 03/01/07

Although a remote attack would take MANY steps to achieve... Scrat | 03/01/07

Routers Kungfoofighterx | 03/01/07

So that's what it is... rmcguire@... | 03/01/07

it happened with AGP ATI Radeon 9800PRO AIW card & W9x peter.michalakis@... | 03/02/07

IMHO... As per usual,... BigThunder1 | 03/03/07

Just wanted to say... wolf_z | 03/30/07

Kudos, BigThunder -- This is Serious, and... Jeff Hayes | 04/01/07

Any and All Threatening software spacepioneer | 03/06/07

I knew about this months ago walkerjian@... | 03/30/07

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Building the Virtualized Enterprise with VMware Iinfrastructure VMware VMware virtualization software has been adopted by over 120,000 enterprise ... Download Now
Reducing Server Total Cost of Ownership with VMware Virtualization Software VMware VMware virtualization enables customers to reduce their server TCO and ... Download Now
The True Costs of Virtual Server Solutions VMware In an economic environment that is repeatedly heralding the message "do ... Download Now

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

Meet Doc

Here to help you with your Document Management Needs
Doc is an enigma. Born to a Russian ballerina and a German electrical engineer, he grew up in various locations in the United States. He’s seen the insides of more brands, versions, and generations of printer and printer-related hardware than almost anyone.
To learn more about this mysterious figure check out his blog on ZDNet and his Workspace on TechRepublic. You’ll be glad you did.
Produced by
ZDNet and

Read the original story

PC hardware can pose rootkit threat

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

Meet Doc

Blogs

Product Reviews

Videos

White Papers and Webcasts

Downloads

More

ZDNet News & Blogs

Product Reviews

Product Blogs

White Papers & Webcasts

Downloads