bit-tech.net

Researcher develops NIC rootkit

Researcher develops NIC rootkit

The work by Guillaume Delugré suggests a method for infecting a NIC with a firmware rootkit.

A security researcher has developed techniques for reverse engineering the firmware in a popular line of network cards, potentially opening the door for a future hardware-based rootkit.

Guillaume Delugré, a researcher with Sogeti ESEC Research and Development, has detailed his efforts of reverse engineering the firmware of Broadcom's NetExtreme network cards on the company's website, but warns that the techniques he has developed could be used by ne'er-do-wells to produce near-undetectable rootkits to attack future computers.

Using nothing more than publicly available documentation and open-source utilities, Delugré has been able to build tools to monitor and debug the network card at a very low level. This tool set has also led Delugré to find a way to flash custom firmware onto the cards and have it executed as though it were official code.

The upshot of his work: a rootkit, which can be uploaded to the network card and silently monitor network traffic without any host OS being able to stop it.

'A network card rootkit offers some very interesting features,' Delugré explains. 'A very stealthy communication end-point over the Ethernet link, which can intercept and forge network frames without the operating system knowing about it, or physical system memory access using DMA over the PCI link, leading to OS corruption.'

Worse, he claims that there would be 'no trace of the rootkit on the operating system, as it is being hidden inside the NIC.'

So far, there are no known attacks on the firmware of network cards of the type that Delugré is researching - but the implications of such an attack are profound. If an attacker could plant the rootkit into the firmware of a network card at the factory, it would infect thousands of systems regardless of virus protection and security features in their host operating system. Worse, there would be little way to detect or prevent the rootkit from transmitting or altering data, although Intrusion Detection Systems (IDS) on the network should provide some level of protection.

Are you concerned about the threat of hidden rootkits in your network card, or is Delugré over-egging the pudding? Share your thoughts over in the forums.

22 Comments

Discuss in the forums Reply
mi1ez 24th November 2010, 13:14 Quote
scary stuff!
Tattysnuc 24th November 2010, 13:26 Quote
At what point is data encrypted? Is it encrypted on the NIC card, or by the processor. If it is the former then this is scary stuff indeed.... Big brother and all that...
Landy_Ed 24th November 2010, 13:28 Quote
I think it's very thoughtful of him to do all the casual hackers work for them.

Thanks, Delugré.
wiggles 24th November 2010, 13:35 Quote
I wonder what his motivation was for such research. Seems unscrupulous.
liratheal 24th November 2010, 13:51 Quote
Looking more and more like the safest machines are the ones not connected to anything at all.
javaman 24th November 2010, 13:58 Quote
Time to start developing bios or even hardware based anti virus. Only way to try and stop such attacks
eddtox 24th November 2010, 15:04 Quote
:(
paisa666 24th November 2010, 15:23 Quote
Quote:
Originally Posted by wiggles
I wonder what his motivation was for such research. Seems unscrupulous.

Thnx to guys like this... we can be aware of the potential dangers we didnt imagine could exist and some ppl could use for the bad!!!... This is all for prevention and its good

Ofc... now that we are aware of such a threat being possible... who says great Uncle Sam havent been using this rootkit on all of us or a long time now ¬ ¬'... Google?... ¡¡¡damn Skynet!!!
Lazy_Amp 24th November 2010, 15:35 Quote
Quote:
Originally Posted by liratheal
Looking more and more like the safest machines are the ones not connected to anything at all.

I know a guy who unplugs everything from his computer when he stops using it.

Then he locks it in an ammo box XD
wuyanxu 24th November 2010, 15:37 Quote
best way to prevent any form of attack is a good router with dedicated firewall for it.

firewall software on your desktop is pretty useless IMHO. low level attack such as this will be avaliable sooner or later, because all the standards are open source, as long as someone can be bothered to look at it, they should be able to make something to do low level attack.
The_Beast 24th November 2010, 15:43 Quote
Start with Killer NIC Bigfoot owners first, most are DBs with too much money anyways
tristanperry 24th November 2010, 15:45 Quote
As paisa666 says, it's good that a white hat hacker got there first.

There will now probably be a race (between NIC manufactures and black hatters) to see who can be the first (to solve or exploit this, respectively), but at least it's out there I guess.
Doomah 24th November 2010, 16:26 Quote
Who sais a white hat hacker got there first? Perhaps someone else is using this exploit for years allready.
TheLostSwede 24th November 2010, 16:36 Quote
Do note that this is an older PCI card, so it might very well not apply to PCI Express based NICs, nor the various kinds built into the motherboard chipsets. Then again, it's possible that a similar hack is possible for them.
BRAWL 24th November 2010, 16:52 Quote
Quote:
Originally Posted by paisa666
Quote:
Originally Posted by wiggles
I wonder what his motivation was for such research. Seems unscrupulous.

Thnx to guys like this... we can be aware of the potential dangers we didnt imagine could exist and some ppl could use for the bad!!!... This is all for prevention and its good

Ofc... now that we are aware of such a threat being possible... who says great Uncle Sam havent been using this rootkit on all of us or a long time now ¬ ¬'... Google?... ¡¡¡damn Skynet!!!

Indeed it's fairly true... I mean, who do you know (Who isn't an enthusiast) who downloads windows updates will notice one file that opens all this up called "Windows Sys32 update"?

but it's nice to see this avenue looked into aswell, especially if companies start up a nice big anti-virus hardware based stuff, be very cool for them to start doing.
Xir 24th November 2010, 17:39 Quote
Quote:
Originally Posted by paisa666
who says great Uncle Sam havent been using this rootkit on all of us or a long time now
Maybe he works for uncle Sam....:D
Otherwise Uncle Sam is going to be pretty **ssed off, as they've probably been using stuff at this level for a loooong time.

Now where's that tinfoil hat? ;)
FelixTech 24th November 2010, 20:47 Quote
How long before he moves on to southbridge rootkits? :O
dark_avenger 25th November 2010, 01:08 Quote
Quote:
Originally Posted by wuyanxu
best way to prevent any form of attack is a good router with dedicated firewall for it.

firewall software on your desktop is pretty useless IMHO. low level attack such as this will be avaliable sooner or later, because all the standards are open source, as long as someone can be bothered to look at it, they should be able to make something to do low level attack.

Most routers enable ALL outbound traffic to pass through. Which means if the NIC makes a outbound connection it can then have two way communication.

If the router was setup correctly to block all outbound except the ports you require it would help but then again nothing stopping them using something like port 80 which you would have open for web access.....
thehippoz 25th November 2010, 01:49 Quote
a really neat idea.. looks like another exploit to work on

hp had a problem with firmware in some integrated nics recently.. don't think this is related though

http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1290645796523+28353475&threadId=1416260

http://www.doecirc.energy.gov/bulletins/t-328.shtml
Krayzie_B.o.n.e. 25th November 2010, 08:03 Quote
Who needs a rootkit when Uncle Sam can log into any server at any time and watch what your doing. The government has been doing far more advanced stuff like this for years. Just remember the United States has remote controlled robots on Mars and satellites exploring deep space, your PC is child play to them.

As far as a virus, well this is just an excuse to sell more Anti-Virus licenses as the new scare will be Virus protection for discrete graphics, sound, and other PCi-E cards.
Cthippo 26th November 2010, 03:23 Quote
Seems like pretty much everything with firmware can be updated these days, and therefore would potentially be vulnerable.

Maybe some hacker will come up with a way to re-flash BIOSes that is actually reliable!
Landy_Ed 26th November 2010, 09:34 Quote
Quote:
Originally Posted by Krayzie_B.o.n.e.
Who needs a rootkit when Uncle Sam can log into any server at any time and watch what your doing. The government has been doing far more advanced stuff like this for years. Just remember the United States has remote controlled robots on Mars and satellites exploring deep space, your PC is child play to them.

As far as a virus, well this is just an excuse to sell more Anti-Virus licenses as the new scare will be Virus protection for discrete graphics, sound, and other PCi-E cards.

If your uncle sam or our own big brother types wants to watch what I'm doing I really don't mind, but some opportunistic criminal dude wanting to nick my banking logon details has just had some good research done for him. Rather less impressed about that.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums