Black Hat USA 2009 - http://www.blackhat.com
Abstract:
Rootkits represent one of the most dangerous breeds of electronic attack in the world today, as they are designed to conceal their presence on an affected system while allowing outsiders “unauthorized” access to the machine. Additionally, rootkits are difficult for users to stop or detect once successfully executed on the device.
There are three things that you should know about the newly-unearthed technique discovered by CoreLabs researchers that will be detailed in the presentation “Deactivate the Rootkit:”
- If you have a notebook computer, you probably have the rootkit.
- You can’t erase the rootkit, but you should know how to deactivate it.
- You should also know how someone else may activate it, repeatedly.
While sophisticated rootkits are very common in targeting most of today’s popular operating systems, including Windows, Linux, Unix and any variant of those platforms, consider a rootkit that transcends a device’s operating system and can tap into the deepest levels of its firmware, giving attackers the ability to take almost complete control of the system -- and to turn the rootkit on and off remotely, at their will.
Furthermore, consider that the very capabilities of this rootkit, and the near impossibility of completely turning it off, are based on legitimate functions built into the affected computers by their manufacturers – features that would make this rootkit, if executed, a truly dangerous and persistent threat to anyone carrying an affected device.
Ortega and Sacco will demonstrate precisely all of the above, and more, in their brief presentation about BIOS anti-theft technology used in many modern laptop and desktop computers. The CoreLabs researchers’ discovery demonstrates that sometimes, even when working in the name of trying to secure a device or system, new ways of allowing attackers to have their way with ubiquitous technologies are created.