Serious rootkit concerns

What really happens when you turn on your computer? How does it go from a power switch to your desktop? Although many detailed explanations exist, the basics are:

  1. Power switch
  2. Chipset (Northbridge/MCH/IMC, Southbridge/ICH/PCH, ...)
  3. CPU
  4. System BIOS
  5. CMOS (BIOS settings)
  6. Power-On Self Test (POST)
  7. Video card BIOS
  8. Other device BIOS (RAID, SCSI, NIC, IDE/ATA, PCI, ...)
  9. RAM (system memory)
  10. Firmware & Plug and Play (USB, Firewire, ...)
  11. If signaled, System Management Mode (SMM)
  12. If present, Type-1 Hypervisor (virtualization)
  13. Master Boot Record (MBR) of bootable drive, including bootloaders (GRUB, LILO, NTLDR, Boot Camp, ...)
  14. Operating System kernel
  15. Device drivers
  16. Applications (executable programs)
Computers protect data and functionality using a concept of "rings", like concentric walls of a fortress. If a medieval enemy penetrates the outer wall (i.e. ring), they can only harm whatever is located in the space between the outer wall and the next inner wall. If they penetrate the next inner wall they can only harm that space, and so on.

Rings range from -N...0...+N (with -N having the most privileges and +N having the least privileges). Using the boot sequence list above, the rings roughly translate to:

Ring -3Chipset, System BIOS, CMOS, Device BIOS, RAM (system memory), Firmware, and Plug and Play
Ring -2System Management Mode (SMM)
Ring -1Type-1 Hypervisor (virtualization)
Ring 0Operating System kernel
Ring 1 & 2Device drivers
Ring 3Applications

As you can imagine, the bad guys want to "own" or control the computer as deeply and early as possible in the boot sequence. Although there are a host of malicious malware out there (viruses, worms, trojans, spyware, keyloggers, etc), the tool of choice for most hackers is a rootkit/bootkit. Rootkits are designed to be very stealthy, difficult to remove, and very powerful. The following table provides a brief overview of the evolution of rootkits and the concerning trend towards bare-metal control and infection that persists after wiping the hard drive:

Ring -3Tribble, CoPilot, and Firewire-subversion (2003-2006), ACPI BIOS rootkit (2006), PCI rootkit (2006), memory-subversion (2007), European card swipe malware (2008), Core BIOS rootkit (2009), AMT rootkit (2009)
Ring -2SMBR (2008)
Ring -1SubVirt (2006), Blue Pill (2006)
Ring 0Cuckoo's Egg (late 1980's - first Unix rootkit), lrk3 (1996 - first Linux rootkit), NT Rootkit (1999 - first Windows rootkit), Sony XCP rootkit (2005), Mebroot bootkit (2007), Stoned bootkit (2009)
Ring 3Hacker Defender (2003)

As you can see, the emphasis is starting to shift away from traditional Ring 3 malware towards Ring 0 bootkits and Ring -3 hardware rootkits. With the increase in hardware standards, protocols, and ROM space, a hacker's job is made that much easier (especially considering many hardware manufacturers still aren't taking the threat seriously).

Personally, I think it's only a matter of time until we see a 64-bit, worm-propagated, cross-platform, bootloader-aware, encryption-savvy bootkit that resides in persistent, antivirus-unreachable Ring -3 space....oh wait, that's pretty much the Stoned bootkit's ToDo list.

Okay, enough of the FUD, how do we protect ourselves? To be absolutely safe, do the following:

1. Care about security.
"Most people, I think, don't even know what a Rootkit is, so why should they care about it?"
      - Thomas Hesse (President, Sony BMG Global Digital Business)
2. Bury your computer.
"The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location ...and I'm not even too sure about that one."
      - Dennis Hughes (FBI official)

Okay, assuming burying your computer isn't an option:

1. Be paranoid about security.
"Only the paranoid survive."
      - Andrew Grove (Time Magazine's Man of the Year, 1997)
2. Install, and regularly update, antivirus and antispyware protection.

3. Use a NAT hardware firewall and software firewall.

4. Use a non-IE web browser (less targeted). If Firefox is your browser of choice, there are a lot of security add-ons available - play around to find the best matches for you.

5. Use a non-Windows operating system (less targeted).

6. Disable floppy and CD-ROM booting and password-protect your BIOS.

7. If multi-booting on the same machine, avoid bootloaders and instead install each operating system on its own drive (with its own MBR) and switch between them using the BIOS boot device selector.

8. Buy a motherboard with BIOS protection (e.g. Intel Trusted Execution Technology or Phoenix TrustedCore).

9. Only browse known, safe sites (not exactly secure due to XSS, DNS cache poisoning, SSL vulnerabilities, PKI vulnerabilities, and hacked routers / web servers...but it's a start)

Have any other ideas? Let me know!

Update (Feb 2010): The new rootkit nasty on the block is Tdss rootkit...scary stuff!


Post a Comment

Keep it clean and professional...