Tweet
It would seem the NSA's favorite tool is now public :).
http://theinvisiblethings.blogspot.c...scoveries.html
http://www.networkworld.com/communit.../39825?hpg1=bn
The heart-stopping thing about this particular exploit is that it hides itself in the SMM space. To put that into perspective, SMM is more privileged than a hypervisor is and it's not controllable by any Operating System. By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy! It is very much like the blue pill attack (the PC is living in the matrix which is under your complete control) except that SMM attacks are at an even deeper hardware level of abstraction than a hypervisor exploit! SMM has been around in Intel chips since 386 processors. The rootkit even has the ability to call home to its creator to get new code or deposit its findings. No software you can run on your operating system would be able to detect this type of exploit once you are powned.
http://theinvisiblethings.blogspot.c...scoveries.html
http://www.networkworld.com/communit.../39825?hpg1=bn
The heart-stopping thing about this particular exploit is that it hides itself in the SMM space. To put that into perspective, SMM is more privileged than a hypervisor is and it's not controllable by any Operating System. By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy! It is very much like the blue pill attack (the PC is living in the matrix which is under your complete control) except that SMM attacks are at an even deeper hardware level of abstraction than a hypervisor exploit! SMM has been around in Intel chips since 386 processors. The rootkit even has the ability to call home to its creator to get new code or deposit its findings. No software you can run on your operating system would be able to detect this type of exploit once you are powned.
Comment