Rootkit Exploit for Intel Processors Dating to 1997 Discovered

xer0h0ur

HS Referee HoF
Donator
Joined:
Aug 20, 2012
Posts:
22,260
Liked Posts:
17,856
Location:
Chicago, IL.
My favorite teams
  1. Chicago White Sox
  1. Chicago Bulls
  1. Chicago Bears
  1. Chicago Blackhawks
"The Black Hat conference is a very fun event, with many different talented individuals coming together to show you just how insecure your digital life is. One very interesting tidbit that’s especially worrisome has been show, dealing with Intel processors.

Processor-based rootkit can grant access to lowest level firmware, for Intel (and maybe AMD) processors dating back to 1997.

Rootkits can be very cruel mistresses in that they allow undeniable access to to low level API’s and functions, usually without the users knowledge, and quite maliciously. They’re able to mask themselves your, or the systems, knowledge quite well. Remember the rootkit being installed by certain Sony memory cards?

Intel’s processors, except the very newest Skylake, and perhaps even AMD’s processors dating back to 1997 are affected.

In this particular case. there is an issue with the System Management Mode, which are instructions that handle system errors and can grant access to other parts of the system as well. A problem with the way that SMRAM is handled, utilizing a 0-day exploit that’s supposedly built into the processor itself. Potentially all x86 processors are affected.

A successful injection of a rootkit could enable control of lower level commands, letting it execute any type of arbitrary commands it wants, bypassing the OS almost completely. Fortunately, in order to actually inject the rootkit, full system privileges are needed. But once it’s in, it’ll be nearly impossible to detect with the usual scanners. So, then, it might not be probably to have it be a singular attack in and of itself, but as part of a multi-pronged malware mishap, it could spell considerable trouble.

The solution to this is a simple IT trick that probably isn’t used much elsewhere. For daily use, use an account that doesn’t have administrator access so that such things can’t be executed in the first place. But that’s not necessarily viable at home. We just want to play games and surf the Internet, right?

Oh, but this isn’t the only one.

This certainly isn’t the only System Management Mode exploit that has affected Intel CPU’s either. Back in 2008 it was revealed that another caching problem could be exploited to also install a rootkit inside the SMM. This however is a new method, though the approach is much the same, mapping the SMRAM to potentially poison it.

Because of where this exploit is, it will be very difficult to actually patch and fix the issue, so it’ll likely remain for some time. But it’s curious that it has remained an inherent part of processors dating back so far.

So folks, no need to necessarily worry, but just be careful browsing the Internet and realize that this is a proof of concept and that nothing has been spotted in the wild thus far. Safe browsing!"


Read more: http://wccftech.com/rootkit-exploit-intel-processors-dating-1997-discovered/
 

xer0h0ur

HS Referee HoF
Donator
Joined:
Aug 20, 2012
Posts:
22,260
Liked Posts:
17,856
Location:
Chicago, IL.
My favorite teams
  1. Chicago White Sox
  1. Chicago Bulls
  1. Chicago Bears
  1. Chicago Blackhawks
Such Exploit. Much Fucked. WOW
 

Crystallas

Three if by air
Staff member
Donator
Joined:
Jun 25, 2010
Posts:
20,022
Liked Posts:
9,559
Location:
Next to the beef gristle mill
My favorite teams
  1. Chicago Bulls
Whenever BH or Defcon come around, everyone tries to make a name for themselves by showing off discoveries. Then these security firms earn contracts, etc.

So a lot of unrealistic exploits get a lot of attention. Personally, I think it has become over-done and some of the published exploits are a real reach. They detract from real known issues, and instead focus on buried code now(something, like this example, should have been known by Intel from a decade anyways, and I'm willing to bet, it has been known, just not well known. ) Chris Tom was a whistleblower that pointed out another backdoor a long while back(had a short stint of nerd fame) that Intel and Dell did not want public, so by it may be by design. I wonder if Transmeta's x86 approach had the same flaw, because it used an entirely different method to execute x86.

Now, if only GOOGLE would stop offering to save flash. LET FLASH DIE!
 

xer0h0ur

HS Referee HoF
Donator
Joined:
Aug 20, 2012
Posts:
22,260
Liked Posts:
17,856
Location:
Chicago, IL.
My favorite teams
  1. Chicago White Sox
  1. Chicago Bulls
  1. Chicago Bears
  1. Chicago Blackhawks
I, personally speaking, am conflicted on the death of Flash.
 

Crystallas

Three if by air
Staff member
Donator
Joined:
Jun 25, 2010
Posts:
20,022
Liked Posts:
9,559
Location:
Next to the beef gristle mill
My favorite teams
  1. Chicago Bulls
I, personally speaking, am conflicted on the death of Flash.

Closed source (which makes the code hard to audit and consent to on a machine, unless you accept or deny everything as a whole.)
Everything in flash can be done with lower resources using alternative(well, I would say they are not alternative, but the mainstream methods going forward)
Incredible amount of exploits
By design, the hardware acceleration is far too driver reliant and can cause added instability
About 10 consecutive major version number releases with features added for more cookie and meta tracking, than actual user features.
Uses 4 plugin standards, one discontinued but still updated. Which essentially means poor standardization for both the project developers, and those who build flash objects for websites.
 

xer0h0ur

HS Referee HoF
Donator
Joined:
Aug 20, 2012
Posts:
22,260
Liked Posts:
17,856
Location:
Chicago, IL.
My favorite teams
  1. Chicago White Sox
  1. Chicago Bulls
  1. Chicago Bears
  1. Chicago Blackhawks
I probably should have specified my opinion is strictly speaking as a user not a developer.
 

Top