Implementing PCI Rootkits

Discussion in 'other security issues & news' started by SystemJunkie, Dec 27, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Here is a PDF Doc for PCI Rootkits

    I don´t agree, since dualcore appeared ACPI modification is made impossible in Bios, so in several cases it is no more possible to disable acpi in bios if you are using e.g. AMD X2 CPUs.

    A new challenge for Antirootkit authors.
     
    Last edited: Dec 27, 2006
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,

    The major obstacle: build a software that will work well with all motherboards + different hardware setups as well as the operating system. Hell, even simple BIOS updates are a terror unto the user who prays to his nether gods for the update to go well. And this is dedicated software from the manufacturer. Now, you're talking about a stranger, writing a flawless piece of code that will randomly (or deliberately) write to peripherals with full compatibility.

    Such tools are most likely to cause an irreversible crash. Implementing them will be difficult. Unless you refer to your basic BIOS as rootkit. To say nothing of the fact that such code will have to be super-smart because BIOS is not exactly the biggest piece of storage available. How much can you implement in 3-4Kbs of code?

    This code will have to be able to communicate with the operating system, properly interpret system calls and send them on their way to the remote address, via the operating system. This means using yet another piece of code or software that can leisurely enjoy the full breadth of the living operating system - and then here yet more troubles start.

    If the operating system gets updated, the kernel might change - the system calls might change - the rootkit will have to get itself updated all the time and each re-burning will be a terrible experience - and will not work until the BIOS is reset, which can take days or weeks for that user, and in between he might do horrible stuff like yet more updates and who knows what.

    Removal - simple. Reburn the BIOS with your own driver. From the manufacturer.

    All in all, sounds like a mega soup of BSOD with a sprinking of total unusability. At least with currently employed architecture / operating systems / methods. In the future, who knows?

    But still, it all comes down to one thing - don't ... install ... bad ... things.

    Mrk
     
  3. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    I think such technology is pure PoC. There are more real and simplest ways to hide itself from user. Methods of "PCI Rootkits" will work only in laboratory where they was created.
     
  4. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,698
    Hello,
    Well, EP, you definitely have a short, curt way of saying things :)
    Took me a paragraph - took you a sentence.
    Mrk

    P.S. SystemJunkie, are you sleeping any better now?
     
  5. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Yep many BSODs, many reboots, many crashes, but persistent.

    Let´s hope it.

    Beside: My Plextor DVD Burner stopped working recently, only one year old.
    Probably someone tried to flash his rootkit, but failed..
    (ha ha ha.. just a joke..):D :D :D
     
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    a good question: how many of you reflash the optical drive´s firmware with an unofficial firmware(region lock, rip lock, extra features)?
     
Loading...
Thread Status:
Not open for further replies.