Researchers Discovered A New Technique For Stealthier Rootkits
Security researchers have discovered a new technique for developing rootkits, malicious packages used to hide the presence of malware on compromised systems.
Instead of hiding a rootkit in the virtualisation layer, the rootkit can be smuggled into System Management Mode (SMM), an isolated memory and execution environment supported in Intel chips that’s designed to handle problems such as memory errors.
By running rootkits in SMM, miscreants could make hidden malware harder to detect, since they’re hiding code in an area anti-virus scanners don’t check. A proof of concept to be demonstrated at the Black Hat conference in Vegas in August.
SMM code is invisible to the Operating System yet retains full access to host physical memory and complete control over peripheral hardware. A proof of concept SMM rootkit can already function as a chipset level keylogger. The rootkit hides its memory footprint, makes no changes to the host Operating System, and is capable of covertly send sensitive data across the network while evading essentially all host based intrusion detection systems and firewalls.
While keeping the rootkit well away from the operating system makes the malicious code more stealthy, it also introduces problems. Hackers would need to develop device specific driver code, a factor that makes attacks far more difficult.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.