Browse > Home / Blog article: Concerns over hardware-based rootkit detection

Concerns over hardware-based rootkit detection

By Janet Harris

March 5, 2007

At the 2007 Black Hat DC conference, Joanna Rutkowska, a security researcher at COSEINC Malware Labs, demonstrated how hardware rootkit protection can fail to find a sophisticated rootkit on a compromised machine.

A rootkit is a program that is used to hack into a system and gain administrative-level access for malicious purposes.

Rutkowska demonstrated three different attacks against a computer showing how the image of volatile memory (RAM), which is assessed by a forensic examiner, can be made different from the real contents of the physical memory as seen by the CPU.

Although the research is purely theoretical, it shows that both hardware and software need to work in tandem during forensics in order to deal effectively with rootkit threats.

Rutkowska demonstrated three attack scenerios:

· crashing a machine during memory acquisition leading to denial-of-service against the forensics examiner seeking traces of malware on a hijacked machine;

· a ‘covering attack’, where the malware is programmed to present garbage data to the hardware trying to read physical memory;

· a ‘full replacing attack’ where the malware author not only hides malicious code from the memory acquisition tool but actually provides arbitrary/fake content to the examiner.

The attacks work because systems are designed so that memory from computers cannot be read. Rutkowska suggests that the design of computer systems should be changed so that RAM is verifiable.

Click here to discuss this: Security Forums

Filed Under Computer Security, Hardware Security, Malware 
Tagged:



Add to Bookmarks:

ADD TO DEL.ICIO.US     ADD TO DIGG     ADD TO FURL

ADD TO STUMBLEUPON     ADD TO YAHOO MYWEB     ADD TO GOOGLE     ADD TO SPURL


Related posts to "Concerns over hardware-based rootkit detection":



Comments

Got something to say?





Visited 334 times, 2 so far today