Rootkits Pushing into Hardware
A fundamental problem with any malware detection technique is that you need a trusted platform to run your detection techniques. Advances in rootkit techniques make it more and more difficult to trust a device to be able to detect it's own infection. PC World describes a hardware-based root kit developed by Shawn Embleton and Sherri Sparks of Clear Hat Consulting. There are drawbacks to their technique but the approach demonstrates the limits of self-detection.
The rootkit runs in a protected part of memory and is known as a System Management Mode (SMM) rootkit. This isn't the first malware of this kind but it is more advanced than previous attempts, according to PC World:
Researchers have suspected for several years that malicious software could be written to run in SMM. In 2006, researcher Loic Duflot demonstrated how SMM malware would work. "Duflot wrote a small SMM handler that compromised the security model of the OS," Embleton said. "We took the idea further by writing a more complex SMM handler that incorporated rootkit-like techniques."
The drawback is that the malware can't use any low level operating system techniques, like hooking an API function, leaving the rootkit developer to write device drivers on their own. Nonetheless, this shows there are limits of how far one can trust a compromised device.
Expect to see distributed detection techniques that use other, presumably uninfected, devices assessing the state of possibly infected devices. Of course, granting that level of access to a remote device opens a world of possible attack methods. It wouldn't be long before someone tries to spoof a "detection device" in an attempt to attack another device .
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
