Serious rootkit concerns

0 comments

What really happens when you turn on your computer? How does it go from a power switch to your desktop? Although many detailed explanations exist, the basics are:

  1. Power switch
  2. Chipset (Northbridge/MCH/IMC, Southbridge/ICH/PCH, ...)
  3. CPU
  4. System BIOS
  5. CMOS (BIOS settings)
  6. Power-On Self Test (POST)
  7. Video card BIOS
  8. Other device BIOS (RAID, SCSI, NIC, IDE/ATA, PCI, ...)
  9. RAM (system memory)
  10. Firmware & Plug and Play (USB, Firewire, ...)
  11. If signaled, System Management Mode (SMM)
  12. If present, Type-1 Hypervisor (virtualization)
  13. Master Boot Record (MBR) of bootable drive, including bootloaders (GRUB, LILO, NTLDR, Boot Camp, ...)
  14. Operating System kernel
  15. Device drivers
  16. Applications (executable programs)
Computers protect data and functionality using a concept of "rings", like concentric walls of a fortress. If a medieval enemy penetrates the outer wall (i.e. ring), they can only harm whatever is located in the space between the outer wall and the next inner wall. If they penetrate the next inner wall they can only harm that space, and so on.



Rings range from -N...0...+N (with -N having the most privileges and +N having the least privileges). Using the boot sequence list above, the rings roughly translate to:

Ring -3Chipset, System BIOS, CMOS, Device BIOS, RAM (system memory), Firmware, and Plug and Play
Ring -2System Management Mode (SMM)
Ring -1Type-1 Hypervisor (virtualization)
Ring 0Operating System kernel
Ring 1 & 2Device drivers
Ring 3Applications

As you can imagine, the bad guys want to "own" or control the computer as deeply and early as possible in the boot sequence. Although there are a host of malicious malware out there (viruses, worms, trojans, spyware, keyloggers, etc), the tool of choice for most hackers is a rootkit/bootkit. Rootkits are designed to be very stealthy, difficult to remove, and very powerful. The following table provides a brief overview of the evolution of rootkits and the concerning trend towards bare-metal control and infection that persists after wiping the hard drive:

Ring -3Tribble, CoPilot, and Firewire-subversion (2003-2006), ACPI BIOS rootkit (2006), PCI rootkit (2006), memory-subversion (2007), European card swipe malware (2008), Core BIOS rootkit (2009), AMT rootkit (2009)
Ring -2SMBR (2008)
Ring -1SubVirt (2006), Blue Pill (2006)
Ring 0Cuckoo's Egg (late 1980's - first Unix rootkit), lrk3 (1996 - first Linux rootkit), NT Rootkit (1999 - first Windows rootkit), Sony XCP rootkit (2005), Mebroot bootkit (2007), Stoned bootkit (2009)
Ring 3Hacker Defender (2003)

As you can see, the emphasis is starting to shift away from traditional Ring 3 malware towards Ring 0 bootkits and Ring -3 hardware rootkits. With the increase in hardware standards, protocols, and ROM space, a hacker's job is made that much easier (especially considering many hardware manufacturers still aren't taking the threat seriously).

Personally, I think it's only a matter of time until we see a 64-bit, worm-propagated, cross-platform, bootloader-aware, encryption-savvy bootkit that resides in persistent, antivirus-unreachable Ring -3 space....oh wait, that's pretty much the Stoned bootkit's ToDo list.

Okay, enough of the FUD, how do we protect ourselves? To be absolutely safe, do the following:

1. Care about security.
"Most people, I think, don't even know what a Rootkit is, so why should they care about it?"
      - Thomas Hesse (President, Sony BMG Global Digital Business)
2. Bury your computer.
"The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location ...and I'm not even too sure about that one."
      - Dennis Hughes (FBI official)


Okay, assuming burying your computer isn't an option:

1. Be paranoid about security.
"Only the paranoid survive."
      - Andrew Grove (Time Magazine's Man of the Year, 1997)
2. Install, and regularly update, antivirus and antispyware protection.

3. Use a NAT hardware firewall and software firewall.

4. Use a non-IE web browser (less targeted). If Firefox is your browser of choice, there are a lot of security add-ons available - play around to find the best matches for you.

5. Use a non-Windows operating system (less targeted).

6. Disable floppy and CD-ROM booting and password-protect your BIOS.

7. If multi-booting on the same machine, avoid bootloaders and instead install each operating system on its own drive (with its own MBR) and switch between them using the BIOS boot device selector.

8. Buy a motherboard with BIOS protection (e.g. Intel Trusted Execution Technology or Phoenix TrustedCore).

9. Only browse known, safe sites (not exactly secure due to XSS, DNS cache poisoning, SSL vulnerabilities, PKI vulnerabilities, and hacked routers / web servers...but it's a start)

Have any other ideas? Let me know!

Update (Feb 2010): The new rootkit nasty on the block is Tdss rootkit...scary stuff!

Data backup solution for home

0 comments

We all know data backup is important. If you don't feel that way, this post isn't for you (and good luck when BSOD or Gpcode.ak come knocking).

Well in advance of Christmas, I've been doing some online window shopping for an external hard drive and data backup solution. My requirements are:

  1. Network accessible (NAS) - ethernet and eSATA connection
  2. RAID 1 (full mirror data redundancy)
  3. USB printer server
  4. Windows & Linux filesystem-compatible for backup and network file sharing
  5. (hot-swappable drives and encryption would be a nice bonus)
  6. $200 or less (without drives)

My current front-runner is Synology DS209j. It's slower than its stronger siblings, DS209 and DS209+II but it gets good reviews and is feature-packed for future needs.

That said, it's a little overkill (e.g. BitTorrent, iTunes, surveillance, mail server, etc) for my current needs. If you have any suggestions for a better (and cheaper) fit, feel free to leave a comment before Christmas rolls around.

Also, the Western Digital WD10EADS hard drives get good reviews for data backup...your thoughts?

Update: The Patriot CORZA looks promising (review)

Linux security

0 comments

As I've researched Linux over the last few weeks, I've been amazed at how many people recommend running Linux with no anti-virus protection whatsoever. Often, new Linux converts are seen as having ex-Windows baggage of paranoia. I find this concerning for two reasons:

  1. Rootkits, one of the most dangerous forms of malware in existence, were originally written for Unix (and by extension, Linux) and are still going strong today

  2. Although your average geeky Linux user today is tech and security savvy, the same cannot be said regarding the rising generation of non-technical Linux adopters. Their bad habits of double-clicking anything interesting and confirming every administrator prompt they see will undoubtedly carry over ("what, sudo virus.sh? sure, why not.")
Fortunately, the virgin-Linux attitude is starting to change.

Conclusion -- geeks: status quo is okay; regular people: don't listen to their too-good-to-be-true advice and install protection.

The big decision

0 comments

Well, it's been a long time coming, but I've finally made the official decision to switch from Windows to Linux. I've dabbled here and there with Linux in the past, but I've always found a reason to hold back - whether it be printer drivers, Windows-only software, fear of the unknown, etc.

The issue, though, came to a head this week when my semi-annual yearning to reformat my hard drive started up again and I decided to switch operating systems from my tired XP Professional 32-bit to a 64-bit OS. I originally bought one of the first AMD 64-bit dual-core processors even though it was ahead of its time (e.g. lack of 3rd party hardware drivers and 64-bit optimized applications) knowing that one day the planets would align and the time would be right to make the plunge. Also, it was about this time that, after many embarrassing schedule delays and Apple's amusing anti-Windows advertising campaign, Vista was getting ready for launch. Microsoft spared no expense to try to rebuild enthusiasm and momentum and for a brief few days gave out a large number of Vista and Office 2007 keys for free and I managed to snatch a copy of my own (thanks, slickdeals). After digging around for it, I was disappointed to realize the version they sent me was 32-bit. I had a 64-bit Windows XP disc, but I wasn't particularly excited to stay behind the times with technology. Windows 7 seemed to be getting good reviews and I thought about leapfrogging Vista ...until I did the math on upgrade pricing.

One of the biggest advantages to upgrading was security. I had heard that Vista and Windows 7 implemented a number of security improvements and I was getting tired of the wild wild west of malware, with my anti-virus and firewall working overtime to keep my identity and bank account safe. A quick Google search, however, informed me that Windows Vista and 7 are still just as susceptible to rootkits and lesser nasties. As you can imagine, I wasn't especially thrilled with the thought of shelling out hard-earned cash to upgrade to an operating system whose security guarantee was "when" not "if". So what's a relatively tech-savvy guy to do? Enter: Linux

Geeks are loyal to Linux distros (e.g. versions or flavors) like some people are to cars. This post isn't going to get into a Ford vs Chevy fighting match - I leave it to interested readers to choose the one that's best for them. For me, it was Linux Mint. Linux Mint is a derivative of Ubuntu, a popular version of Linux. It uses a desktop and menu environment that's familiar to Windows users and therefore should help with the transition to Linux. It works with Ubuntu software repositories so a wealth of Linux-ready software is at your fingertips. Since Linux Mint releases follow about a month after Ubuntu releases, I'll be upgrading my box to Linux Mint 8 when it's released in late November. Update: for those who can't wait, Linux Mint 8 RC (release candidate) was just released.

Original post

0 comments

Nothing really exciting here. Stay tuned.