Implementing PCI Rootkits

Here is a PDF Doc for PCI Rootkits

I don´t agree, since dualcore appeared ACPI modification is made impossible in Bios, so in several cases it is no more possible to disable acpi in bios if you are using e.g. AMD X2 CPUs.

A new challenge for Antirootkit authors.

 

Hello,

The major obstacle: build a software that will work well with all motherboards + different hardware setups as well as the operating system. Hell, even simple BIOS updates are a terror unto the user who prays to his nether gods for the update to go well. And this is dedicated software from the manufacturer. Now, you're talking about a stranger, writing a flawless piece of code that will randomly (or deliberately) write to peripherals with full compatibility.

Such tools are most likely to cause an irreversible crash. Implementing them will be difficult. Unless you refer to your basic BIOS as rootkit. To say nothing of the fact that such code will have to be super-smart because BIOS is not exactly the biggest piece of storage available. How much can you implement in 3-4Kbs of code?

This code will have to be able to communicate with the operating system, properly interpret system calls and send them on their way to the remote address, via the operating system. This means using yet another piece of code or software that can leisurely enjoy the full breadth of the living operating system - and then here yet more troubles start.

If the operating system gets updated, the kernel might change - the system calls might change - the rootkit will have to get itself updated all the time and each re-burning will be a terrible experience - and will not work until the BIOS is reset, which can take days or weeks for that user, and in between he might do horrible stuff like yet more updates and who knows what.

Removal - simple. Reburn the BIOS with your own driver. From the manufacturer.

All in all, sounds like a mega soup of BSOD with a sprinking of total unusability. At least with currently employed architecture / operating systems / methods. In the future, who knows?

But still, it all comes down to one thing - don't ... install ... bad ... things.

Mrk

 

I think such technology is pure PoC. There are more real and simplest ways to hide itself from user. Methods of "PCI Rootkits" will work only in laboratory where they was created.

 

Hello,
Well, EP, you definitely have a short, curt way of saying things
Took me a paragraph - took you a sentence.
Mrk

P.S. SystemJunkie, are you sleeping any better now?

 

Yep many BSODs, many reboots, many crashes, but persistent.

Let´s hope it.

Beside: My Plextor DVD Burner stopped working recently, only one year old.
Probably someone tried to flash his rootkit, but failed..
(ha ha ha.. just a joke..)

 

a good question: how many of you reflash the optical drive´s firmware with an unofficial firmware(region lock, rip lock, extra features)?