Hackers find a new place to hide rootkits
Security researchers have developed a new type of malicious rootkit software
that hides itself in an obscure part of a computer's microprocessor, hidden
from current antivirus products.
Called a System Management Mode (SMM) rootkit, the software runs in a protected
part of a computer's memory that can be locked and rendered invisible to the
operating system, but which can give attackers a picture of what's happening
in a computer's memory.
The SMM rootkit comes with keylogging and communications software and could
be used to steal sensitive information from a victim's computer. It was built
by Shawn Embleton and Sherri Sparks, who run an Oviedo, Florida, security company
called Clear Hat Consulting.
The proof-of-concept software will be demonstrated publicly for the first time
at the Black
Hat security conference in Las Vegas this August.
The rootkits used by cyber crooks today are sneaky programs designed to cover
up their tracks while they run in order to avoid detection. Rootkits hit the
mainstream in late 2005 when Sony
BMG Music used rootkit techniques to hide its copy protection software.
The music company was ultimately forced to recall millions of CDs amid the ensuing
scandal.
In recent years, however, researchers have been looking at ways to run rootkits
outside of the operating system, where they are much harder to detect. For example,
two years ago researcher Joanna Rutkowska introduced a rootkit called Blue Pill,
which used AMD's chip-level
virtualization technology to hide itself. She
said the technology could eventually be used to create "100 percent
undetectable malware."
"Rootkits are going more and more toward the hardware," said Sparks,
who wrote another rootkit three years ago called Shadow Walker. "The deeper
into the system you go, the more power you have and the harder it is to detect
you."
Blue Pill took advantage of new virtualization technologies that are now being
added to microprocessors, but the SMM rootkit uses a feature that has been around
for much longer and can be found in many more machines. SMM dates back to Intel's
386 processors, where it was added as a way to help hardware vendors fix bugs
in their products using software. The technology is also used to help manage
the computer's power management, taking it into sleep mode, for example.
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
