Hackers Find a New Place to Hide Rootkits

[quaxo]

From PCWorld.com through Yahoo! News:

Partial quote (see link for full article):

Security researchers have developed a new type of malicious rootkit software that hides itself in an obscure part of a computer's microprocessor, hidden from current antivirus products.

Called a System Management Mode (SMM) rootkit, the software runs in a protected part of a computer's memory that can be locked and rendered invisible to the operating system, but which can give attackers a picture of what's happening in a computer's memory.

The SMM rootkit comes with keylogging and communications software and could be used to steal sensitive information from a victim's computer. It was built by Shawn Embleton and Sherri Sparks, who run an Oviedo, Florida, security company called Clear Hat Consulting.

The proof-of-concept software will be demonstrated publicly for the first time at the Black Hat security conference in Las Vegas this August.

[Mr.BA]

Very interesting..!

[Computer Hope Admin]

Wow this is very interesting. However, the article mentioned it is hardware dependent and as the article mentioned, it would be real hard for something to get created and spread out to a wide audience. What I'm curious about is if it's hardware dependent and something that could be rendered invisible to the OS how would a antivirus or other protection program help protect against something like this?

[evilfantasy]

it would be real hard for something to get created and spread out to a wide audience.

My thoughts as well, but consider the below article and it is more plausible.

FBI Finds 3,500 Counterfeit Cisco Components in Secure U.S. Networks

More info... Also Hackable: Microprocessors

[BC_Programmer]

It's easy, just spam-mail the chips to thousands of people, telling them to install it because they should. BEcause it's new. Because it comes in a shiny box. That should give it a fairly large install base....

[Computer Hope Admin]

That doesn't sound that easy and definately an extremely expensive way to hack people.

[BC_Programmer]

Well, actually- that is what I was trying to say- If they have to change hardware any way of mass-infecting computers is going to be prohibitively expensive. I keep forgetting sarcasm is hard to write

[quaxo]

There was a batch of hard drives out of China a year or so ago. Every single one of them had a virus planted in it which collected information and sent it back to someone from the factory. I don't remember what company that was though. They recalled all the drives from that factory, of course.

-=Edit=-

Ok, I just had to go look it up. November '07, they were Seagate hard drives.

http://news.zdnet.co.uk/security/0,1000000189,39290782,00.htm

"Seagate said that antivirus vendor Kaspersky Lab had discovered the existence of a virus on some of its Maxtor Personal Storage 3200 hard drives.

The antivirus company identified the virus as Virus.Win32.Ruh.ah — malware that can disable virus-detection software, although its prime function is to search for online game passwords and send them to a server in China.

The affected units were manufactured by a subcontractor in China, said Seagate. As soon as the company learned of the virus's existence, it stopped shipments of the hard drives from its facility.

Any units now leaving the affected factory have been cleared of the virus, while those in inventory are being reworked before being released for sale.

Seagate was unable to comment on how the virus came to be on the hard drives. An internal criminal investigation is being held into the contract manufacturer."

I know somewhere I found it was someone from that factory who planted the virus, but I can't seem to locate that article now.