Rootkits penetrate the heart of the machine

April 7, 2009 · Filed Under In Depth, Security 

In Depth - A merciless lens pointed on the hot topics, passionate and detailed retrospectives, reflections beyond the appearances Since, in 2005, the nasty commercial policies of Sony BMG uncovered the possibility to seize control on the operating system to hinder the normal working of the PC and peripherals, the evolution of rootkit software went through an unparalleled acceleration. The interest for the matter rose in research and among cyber-criminals gangs, with the result that can be esteemed in these days: rootkits have reached the lowest levels of electronic devices circuitry by infecting network routers, the BIOS and even the most privileged working mode of the x86 processors.

While all the attentions are turned to the Conficker worm, a complex but rather conventional malware regarding the infection objectives, the forefront of novel malicious codes strikes the first hits with psyb0t, the Linux routers worm. Identified by the DroneBL network, psyb0t should be at the base of the first botnet attacking network devices, by installing itself inside routers and (A)DSL modems and leaving no trace on the PCs connected on-line.

The malware is designed to infect the internal memory of devices based on the MIPS platform and Linux OS, with interfaces for Telnet, SSH and HTTP protocols reachable from the net and above all with a weak username+password pair. Once gained control of the router, psyb0t blocks the ports used by the aforementioned services cutting off the user from the configuration panels, connects itself at the command&control center on an IRC server from which it awaits for orders and starts to scan the network hunting for usernames and passwords, vulnerable phpMyAdmin and MySQL servers and new routers to infect.

Acccording to data provided by DroneBL, psyb0t’s botnet was able to collect at least 100,000 zombie routers before its puppeteer decided to turn it off, stating to have acted with true research spirit and without launching DDoS attacks (as DroneBL conversely claims) or stealing sensible data from anyone. The malware has essentially been invisible also for the most concerned users about security of their own machine, because being the attack absolutely novel nobody would have thought of expecting an infection of devices other than a PC.

Whatever was the target of the unknown hacker, anyway, his work has been useful to highlight the poor consideration of fundamental security practices when it comes to routers: DroneBL claims that “90% of the routers and modems participating in this botnet are participating due to user-error“, having the users used mean passwords or having not modified the default ones (”root”, “admin”, “1234″ etcetera).

Security companies have quickly taken a position against the new threat, and despite the essential inability of antimalware software just only to identify the ongoing infection manufacturers like Symantec and Avira have distributed their advices on how to diagnose the problem (blocked ports), remove the malware (hard reset of the device and update with the last firmware version available) and how to make sure that it won’t resurface again (change the damn default password).

Psyb0t code

Psyb0t represents a dangerous evolution of autoreplicating code with potentially malicious intents, but what has been presented during the 2009 edition of CanSecWest security conference goes far beyond network routers, aiming at hitting a fundamental element of 32 and 64 bit x86 architectures. Researchers Anibal Sacco and Alfredo Ortega have demonstrated the possibility to install a little snippet of executable code within the system BIOS memory chip, knocking out of the game whatever security software and securing the full control of the PC at every start-up, even before the first sector of hard disk is initialized.

The proof-of-concept, while astounding because it apparently does not exploit any obscure flaw but only the normal working of the PC, requires physical access to the machine or the “root” access rights on the operating system (whatever it is). Despite this, however, researchers underline the profound implications of their discovery: “We can patch a driver to drop a fully working rootkit. We even have a little code that can remove or disable antivirus” Sacco and Ortega say.

The duo’s work follows the one from John Heasman, which in 2007 was able to demonstrate how to exploit embedded memory on PCI cards to install malware on the PC thus opening the doors to hardware rootkits. After having found the possibility to effectively attack the BIOS, Sacco and Ortega are now working on the development of a fully working “BIOS rootkit”, a beast that would join the infamous Mebroot, the Master Boot Record rootkit, in the zoo of the (potentially) most dangerous and invisible threats known up to now.

Malware wins the heart of the machine, is executed within the processor’s ring 0 and Symantec depicts unparalleled industrial espionage scenarios. The infection becomes persistent as like as control of the involved systems, and if the BIOS seizure wouldn’t be enough there is someone which succeeded in finding the way to go to an even lower level on the scale of execution priorities inside the x86 CPUs.

Beneath ring 0 (level of the operating system kernel) and ring -1 (hypervisor mode used for hardware management of virtual machines) lies in fact the System Management Mode (or SMM), that is just the most privileged machine code execution mode existing on Intel architectures and is used to execute tasks independent from the operating system like power management features. The access to SMM mode is generally restricted to the BIOS only, and requires an SMI (System Management Interrupt) to be activated.

Rootkit effect

A rootkit that was able to exploit somehow the SMM mode would be a true “game over” not only for the user but also for the operating system (whatever it may be), because going below ring -1 means to have the chance to attack the protection measures executed in kernel mode and even the hypervisor, opening the doors to control and invisibility scenarios impossible to fight for any security and anti-rootkit software.

Researchers are trying to attack the SMM mode since 2006, and just during CanSecWest it has been demonstrated the existence of a new flaw that could lead to seizure of unauthorized read and write credentials to the protected SMRAM (System Management RAM) memory zone, where the SMM mode resides. The problem, also confirmed by Joanna Rutkowska and Rafal Wojtczuk in a separate report, shows for the nth time that the real priority of computer security is prevention: if the infection reaches the heart of the machine, as it is already possible today and will be increasingly so in the future, the fight ends and the game is lost for good.

Share this post!
  • Slashdot
  • Reddit
  • Digg
  • Facebook
  • StumbleUpon
  • Technorati

Related posts


Leave a Reply