Topic: Researchers to Report Intel Chip Rootkit Code

[georgecloner]

Security researchers Joanna Rutkowska and Loic Duflot are planning to release information on what NetworkWorld blogger Jamey Heary calls "the scariest, stealthiest, and most dangerous rootkit" he's seen.

According to Heary, on Thursday (March 19, 2009) the researchers will release a research paper and exploit code for a new SMM (System Management Mode) rootkit that utilizes an Intel CPU caching vulnerability. The attack allows the rootkit to hide in the SMM space and take control of the PC. Heary warns that there is no software that can detect the rootkit once it is installed.

"Thursday, March 19th, 1600 UTC, we will publish a paper (+ exploits) on exploiting Intel® CPU cache mechanisms. The attack allows for privilege escalation from Ring 0 to the SMM on many recent motherboards with Intel CPUs. Rafal implemented a working exploit with code execution in SMM in a matter of just a few hours."

Why are they releasing the code to the public? Rutkowska and Duflot claim that Intel has known about the vulnerability for years and hasn't done anything to fix it. So, they are simply reporting what someone with less than legal intentions is already exploiting.

"If there is a bug somewhere and if it stays unpatched for enough time, it is almost guaranteed that various people will (re)discover and exploit it, sooner or later. So, don't blame researchers that they find and publish information about bugs — they actually do a favor to our society."

(ITBE)

[Samker]

 


This's real dangerous...

Right now I'm thinking, Did this researchers do a right thing??



 

[georgecloner]

Yeah RIGHT! This is a nasty one!

Now that Intel CPUs' are vulnerable to exploit!  Finger's crossed for the meantime until Intel gets to fix this issue!!!

P.S.

Just type nice words to Intel guys!   HEHEHE

[Samker]

I can't believe that they "forget" to close this with some patch.

INTEL -

[georgecloner]

Believe it Sam, they do forget.. hehehe.

The researchers were fairly responsible to report the issue immediately. And they quote:

So, being the good and responsible guys that we are, we immediately reported the new bug to Intel (actually talking to Intel's PSIRT is getting more and more routined for us in the recent months . And this is how we learnt that Loic came up with the same attack (back then there was no talk description at the conference website) — apparently he approached Intel about this back in October 2008, so 3-4 months before us — and also that he's planning to present it at the CanSecWest conference in March. So, we contacted Loic and agreed to do coordinated disclosure next Thursday.

Interestingly, however, none of us was even close to being the first discoverer of the underlying problem that our attacks exploit. In fact, the first mention of the possible attack using caching for compromising SMM has been discussed in certain documents authored as early as the end of 2005 (!) by nobody else than... Intel's own employees.

[Samker]

UNBELIEVABLY! 

What do you think is it AMD capable to make the most of this "bug"?

[jake2pointzero]

Samker,

Does this mean, if you have a Intel Processor like Intel Core 2 Duo. We are vulnerable to the bug?

[Samker]

Probably, but important thing is that this bug isn't exploited yet...

Anyway, I think that we all need to "watch this story" very carefully.

[F3RL]

What the heck does Intel up to? Yeah, they should cover this vulnerability with some kind of patch or firmware.

Does this rootkit active regardless of operating system? If yes, people with servers, watch out 

[georgecloner]

Does this rootkit active regardless of operating system?

Apparently yes. Here's a summary piece:

"The potential consequence of attacks on SMM might include SMM rootkits [9], hypervisor compromises [8], or OS kernel protection bypassing [2]."

The published paper:   http://invisiblethingslab.com/resources/misc09/smm_cache_fun.pdf