Better hacking through science: new and better ways to hide your rootkit
- By William Jackson
- Jan 26, 2006
In the cat-and-mouse game of computer security, rootkits are a powerful way to hide malicious code on a compromised computer where it is difficult to detect and remove.
As detection tools become more sophisticated, one researcher thinks that the BIOS may be the new frontier for rootkits.
'There are no tools now to audit your BIOS for a rootkit,' said John Heasman, principal security consultant for NGS Software Ltd. of the U.K. Heasman, speaking at the Black Hat Federal Briefings in Arlington, Va., described a proof of concept technique for placing a rootkit at such a low level on the computer's system that it would survive reboots, reinstallation of operating systems and even replacement of the hard drive.
'This is very much a work in process,' Heasman said. He has spent only a few weeks so far developing techniques and uses for the new threat, and he is not aware of examples of such a tool in the wild. But there is no reason it could not be done with a little effort, he said.
First, some definitions. A rootkit is code surreptitiously installed and running on a computer that typically burrows deep enough into the operating system kernel that it is not easily detected. It can be used to hide malicious activity by a third party. The BIOS is the Basic Input-Output System on a computer. This is code on the motherboard that runs when the computer is powered up, initializing chip sets, memory subsystems, drivers and diagnostic systems. It enables what the computer can do without software.
Rootkits gained national attention when it was revealed recently that Sony Corp. was using them on some of its music CDs to hide digital rights management tools on customers' computers. Hackers have managed to exploit some of these computers by hiding malicious code in the Sony rootkit.
As rootkits become more widely used, tools are being developed to detect and remove them. So far these tools have focused on the operating system but have ignored the BIOS. And for good reason, said Heasman: Putting a rootkit there would be difficult, requiring the hacker to burn new code into the BIOS on the computer motherboard. The code would have to be tailored to the specific chip set, not just to a more generic operating system. And because BIOS functionality is limited, using it to exploit a computer is difficult.
But Heasman has found a way to get the functionality he wants, using the Advanced Configuration and Power Interface, a specification for power management functions used in most computers. When a computer is powered up, ACPI copies tables from the BIOS to the operating system describing hardware configurations and control methods for power management. Adding ACPI Machine Language code to the BIOS could give a hacker access to the operating system and would ensure that the code remained intact through reboots and reinstallations. Removing it would require reflashing or replacing the motherboard.
The amount of space available for such malicious code varies by chip set, but is in the tens of kilobytes, Heasman said.
The new rootkit is not foolproof. Installing it would be difficult to do remotely, and it could not be easily spread'at least for now. And it could be detected through some operating system auditing capabilities for ACPI messages. Installation could be prevented by using a motherboard that does not allow reflashing, or a board that requires a digitally signed BIOS, Heasman said.
'Embrace trusted computing,' he advises.
It is no coincidence that Heasman also is working on an ACPI auditing tool that would find such cleverly hidden rootkits.
'I envision this as part of any rootkit detection kit,' he said.
Stay tuned for further developments.
William Jackson is a Maryland-based freelance writer.