Mac EFI Rootkit PoC on Black Hat

Discussion in 'malware problems & news' started by researcher, Jul 29, 2012.

Thread Status:
Not open for further replies.
  1. researcher

    researcher Registered Member

    Joined:
    Jul 20, 2012
    Posts:
    3
    Location:
    Russian Federation
    http://www.blackhat.com/html/bh-us-12/bh-us-12-briefings.html#K
    Full paper:
    http://ho.ax/De_Mysteriis_Dom_Jobsivs_Black_Hat_Paper.pdf
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Seems like you need physical access to a system to tamper it or I got it wrong?
     
  3. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi

    Firmware rootkits have already been demonstrated a few years ago.
    There is a big difference between conceptual and laboratory attacks and/or malware and their in the wild industrial exploitation.
    In fact, if we consider career opportunities of these rootkits, only eeye boot rootkit is valuable with its botnets made by an armada of bootkits.
    Yes we have seen Icelord clone with Mebromi, but what about the buzz done by BluePill or its Mac shadow Vitriol?
    Last year the Sogeti team has also released a demo of network card firmware rootkit
    http://esec-lab.sogeti.com/dotclear/public/publications/11-recon-nicreverse_slides.pdf

    As i said in my HPA/Bios/Lojack kernelmode.info thread, this kind of OS indepedent rootkit concerns mostly targetted computer espionage.
    http://www.google.com/search?client...gc.r_pw.&fp=ae96d1134a13d1ee&biw=1366&bih=645
    A rootkit on a PC/Mac, on a Smartphone, Scada, sql server, Bios, Network/Video card, router, USB pendrive, GPS device, car, Nespresso machine...then what else? and so what? When we put a code here, we can in most cases hide a code there...

    PS.By experience (Sysinternals board), i guess, "Kamarade" RKHunter, that it is suited to keep the same nickname to avoid online "schkizo" syndrome :)
     
Loading...
Thread Status:
Not open for further replies.