Dailydave mailing list archives
Re: Rootkit Detection - No Worries
From: Matt Hargett <matt () use net>
Date: Tue, 05 Jul 2005 14:43:27 +0000
Nicolas RUFF wrote:
Now, rootkits aren't really my thing, so feel free to point and laugh - but I seem to recall there being discussion during Greg Hoglund and Jamie Butler's rootkit training course at Blackhat last year re: infecting hardware (or, more to the point flashable firmware type stuff) such that malicious code could survive warm reboots, cold reboots and even hard drive reformatting/replacement. I've heard some other random discussions and anecdotal evidence to suggest that thismight be possible.Sadly, I have neither the spare time, nor the hands-on hardware/firmware experience to know just how realistic a scenario this is. Is anyone on-list looking in detail at this sort of stuff? Is it realistic, or more science-fiction based? I, for one, would love to know. :-)
The firmware burnout idea is one that I had at Cenzic, applied to doing a million+ writes to a motherboard's flash BIOS to require physical replacement of the motherboard. I think it made it into Greg's book. The persistent code idea you mention becomes more of a reality with these hybrid hard drives that have a regular winchester-based drive in addition to a small flash drive. I forget the marketing term for this technology, but it seems like overwriting the protected OS files on the built-in flash drive from a low-level driver should be possible.
Since I am curious, I had a look at the running software : it appears that it is some kind of embedded RTOS Linux for MIPS processor, with an old kernel, many services enabled, and a trivial 'root' password (4 digits). In the first firmware versions, the telnet port (who said SSH ?) was accessible from the Internet.
Series 1 TiVo DVRs and Linksys "routers" are similar -- old Linux running on MIPS. (Or, in the case of WebTV based things including some kiosks, Windows CE running on MIPS.) While I haven't see anything as egregious as an open telnet port with a trivially guessable root password, there are definite security issues across the board in this space. Many people are looking at embedded ARM software, but so far I've found that just looking at MIPS-based stuff yields a veritable cornucopia of exploitable code. (All found using Logiscan 2.0, plug plug.)
Anyone know where I can get some firmware from SCADA equipment? ;>
Now let's just imagine that some kind of virus, knowing the 'root' password, uploads a kernel module, changes the 'root' password, and disable automatic updates ... You have just built a 500,000+ members botnet, and most of the end users would never notice anything (antivirus software on a cable modem ?). BTW, the only fix would be to remove the CF card inside and reflash it with a brand new firwmare, requiring physical maintenance from the operator.
I love stuff like this because you can hear an analyst somewhere cummingin their pants when they realise they get to come up with a really big dollar amount to try and guess how much it would cost to remediate such an issue.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Rootkit Detection - No Worries Nicolas RUFF (Jul 04)
- Re: Rootkit Detection - No Worries John Morgan Salomon (Jul 05)
- Re: Rootkit Detection - No Worries Nicolas RUFF (Jul 05)
- Re: Rootkit Detection - No Worries Matt Hargett (Jul 05)
- Re: Rootkit Detection - No Worries John Morgan Salomon (Jul 05)