New type of rootkit hidden in hardwareMay 12, 2008 – 5:54 AM
Security researchers have developed a new type of malicious rootkit software that hides itself in an obscure part of a computer’s chip, undetected by today’s anti-virus products.
Called a System Management Mode (SMM) rootkit, the software runs in a protected part of a computer’s memory that can be locked and rendered invisible to the operating system, but which can give attackers a picture of what’s happening in a computer’s memory.
The SMM rootkit comes with keylogging and communications software and could be used to steal sensitive information from a victim’s computer. It was built by Shawn Embleton and Sherri Sparks, from security company Clear Hat Consulting.
The proof-of-concept software will be demonstrated publicly for the first time at the Black Hat security conference in Las Vegas this August.
The rootkits used by cyber crooks today are programs designed to cover up their tracks while they run in order to avoid detection. Rootkits hit the mainstream in late 2005 when Sony BMG Music used rootkit techniques to hide its copy protection software. The music company was ultimately forced to recall millions of CDs amid the ensuing scandal.
In recent years, however, researchers have been looking at ways to run rootkits outside of the operating system, where they are much harder to detect. For example, two years ago researcher Joanna Rutkowska introduced a rootkit called Blue Pill, which used AMD’s chip-level virtualisation technology to hide itself. She said the technology could eventually be used to create “100 percent undetectable malware.”
“Rootkits are going more and more toward the hardware,” said Sparks, who wrote another rootkit three years ago called Shadow Walker. “The deeper into the system you go, the more power you have and the harder it is to detect you.”