A Newer Rootkit in PCI Cards
John Heasman, security researcher, released a paper recently describing how to hide a malicious code embedded on graphics and network cards so as to avoid detection and even withstand a complete re-installation of the operating system.
Heasman's paper is based on his previous work in early 2006. He had then presented how to use the 'Advanced Configuration and Power Interface' (ACPI) functions that exist in almost all motherboards to keep and run a 'rootkit' that would not crash on rebooting.
The recent paper delineates the methods of using the 'expansion memory' existing in 'Peripheral Component Interconnect' (PCI) cards such as 'graphic cards' and 'network cards'. In the opinion of Heasman, a researcher at 'Next-Generation Security Software', such techniques will never become commonplace.
He wrote in his paper that since most people do not regularly use security patches to Windows or run anti-virus software, malware creators do not have the immediate need to take help of 'rootkit' techniques as a tool to compromise systems. Even if a user identifies the malware and cleans it, there are more unsuspecting targets available on the Net.
Heasman has also described in his paper a defense against the 'rootkit' technique. If the 'expansion memory' and 'system memory' is put to audit, an administrator could search for hidden code, the existence of 32-bit code, and 'odd class' codes among other indicators of compromise. Computers having 'Trusted Computing Module' as protection against 'boot process' will not react to this kind of 'rootkit compromise'.
In general, users prevent 'rootkit' by patching the system and all third-party software as well as by running a firewall and anti-virus application. In addition to this, the user could 'write protect' the company's software of certain PCI cards by using a physical switch or 'jumper'.
Heasman is aware that the newer cards may not have this ability due to extra cost, or maybe the use finds it inconvenient or redundant. But the author is not aware of any PCI cards that need 'signed firmware update'. Although this is more complex and expensive, it is nevertheless an improvement to stop 'rootkit' technique.
Related article: “Loopholes did not cause online banking thefts”: ICBC
» SPAMfighter News - 23-11-2006