‘Deactivate the Rootkit’ – Highlights of security report
Rootkits represent one of the most dangerous breeds of electronic attack in the world today, as they are designed to conceal their presence on an affected system while allowing outsiders “unauthorized” access to the machine. Additionally, rootkits are difficult for users to stop or detect once successfully executed on the device.
There are three things that you should know about the newly-unearthed technique discovered by CoreLabs researchers that will be detailed in the presentation “Deactivate the Rootkit:”
1. If you have a notebook computer, you probably have the rootkit.
2. You can’t erase the rootkit, but you should know how to deactivate it.
3. You should also know how someone else may activate it, repeatedly.
While sophisticated rootkits are very common in targeting most of today’s popular operating systems, including Windows, Linux, Unix and any variant of those platforms, consider a rootkit that transcends a device’s operating system and can tap into the deepest levels of its firmware, giving attackers the ability to take almost complete control of the system -- and to turn the rootkit on and off remotely, at their will.
Furthermore, consider that the very capabilities of this rootkit, and the near impossibility of completely turning it off, are based on legitimate functions built into the affected computers by their manufacturers – features that would make this rootkit, if executed, a truly dangerous and persistent threat to anyone carrying an affected device.
Ortega and Sacco will demonstrate precisely all of the above, and more, in their brief presentation about BIOS anti-theft technology used in many modern laptop and desktop computers. The CoreLabs researchers’ discovery demonstrates that sometimes, even when working in the name of trying to secure a device or system, new ways of allowing attackers to have their way with ubiquitous technologies are created.
At this time, we found three major problems with common Absolute-Computrace Implementations:
1. Lack of authentication of configuration options, leading to report redirection.
2. Lack of authentication of code in stub agent, leading to bios code execution.
3. On at least one specific setup, activation/deactivation of the Computrace Agent can be reverted to factory defaults.
For issues 1 and 2 a digital signature scheme would fix the issues. We don't have any recommendation for the issue number 3 at this moment.
Furthermore, there are couple of issues that at the time of this report we can't confirm:
4 Unauthenticated code download from the Agent once activated.
5 Unauthenticated BIOS agent activation.
Issues 1, 4 and 5 combined would allow for an extremely dangerous BIOS-assisted rootkit software attack to be deployed on the majority of notebooks today.
Issue 2 is dangerous by itself, providing a simple and reliable method to execute any code in the context of the BIOS, once the Option-ROM is activated.
Please log in or register to view WRALTechWire Insider content
Please Log In to add a comment.
Best of TechWire Insider
- IBM layoff update: North American cuts climb; mum is word down under
- At last! Sprint 4G service formally launches in Triangle
- Big Blue's layoff total climbs in RTP; North America total surges past 2,800
- Big Blue layoff count nears 2,800 in North America alone
- NC's high-tech job picture improves in May, but ...
- IBM layoff count hits nearly 2,300 across 31 work groups
- NC IDEA: Startup deal flow 'better than it has ever been'
- IBM's job cuts are global, nearing 4,000; most are in U.S.
- CEO fears for future of NC Biofuels Center due to budget cuts
- Workers 50+ take biggest hit among 14% reduction in IBM marketing group