[Infowarrior] - Researcher sees ROM as rootkit home

[Richard Forno]

Researcher sees ROM as rootkit home
Published: 2007-02-28

http://www.securityfocus.com/brief/447?ref=rss

ARLINGTON, VA. -- The flashable memory on graphics cards and other add-on
hardware could easily be used to hide malicious code on computer systems,
yet still run the software at boot time, a researcher told attendees at the
Black Hat DC conference on Wednesday.

Such surreptitious code, known as a rootkit, could be hidden in the
expansion read-only memory (ROM) frequently used by add-on Peripheral
Component Interconnect (PCI) cards, said John Heasman, a security researcher
with Next-Generation Security Software. The expansion ROM attack could
update itself using a covert channel to the Internet, runs at boot time and
would be fairly difficult to detect. It doesn't help that the developers
creating device drivers don't normally consider security, he said.

"Graphics card makers, for example, are not thinking about this attack,"
Heasman said. "They want to make it as easy as possible to update the ROM."

Attacks that use rootkits stored outside of system memory are not totally
new. Last year, Heasman presented practical research into malicious software
that could use the motherboard's Advanced Configuration and Power Interface
(ACPI) to run code at boot time. In November, Heasman released his initial
paper on the PCI rootkits.

The technique will not likely become a prevalent threat. Because the attack
requires a great deal of technical knowledge and effort, an attacker is more
likely to use standard software Trojan horses to compromise systems, he
said. Computers that have specialized hardware security based on the Trusted
Computing Platform will be largely immune to such attacks.