You are viewing subversionhack

Intel Chip Vulnerability

More on SMM  (System Management Mode)

Both Loic Duflot and Joanna Rutkowska & Rafal Wojtczuk of "Invisible Things Lab"  discovered this vulnerability separately.

Loic Duflot, made a presentation on this at the CanSecWest conference in Vancouver, 2009

Joanna Rutkowska released a research paper with exploit code for this SMM exploit that installs via an Intel® CPU caching vulnerability. 

Intel employees, however, found this flaw back in 2005.

You could be pwned forever.
Imagine that this exploit  has potential to damage hardware.
Imagine if this shuts off all the fans in your computer
Imagine it over-volts your processor
Imagine it sending some devastating command to your HDD


www.networkworld.com/community/node/39825

This is the scariest, stealthiest, and most dangerous exploit I've seen come around since the legendary Blue Pill! No, I'm not just trying to sensationalize this or spread fear, uncertainty and doubt. This is serious and represents a massive new security threat for us all.


The heart-stopping thing about this particular exploit is that it hides itself in the SMM space. To put that into perspective, SMM is more privileged than a hypervisor is and it's not controllable by any Operating System. By design, the operating system cannot override or disable System Management Interupt (SMI) calls. In practice, the only way for you to know what is running in SMM space is to physically disassemble the firmware of your computer. So, given that an SMI takes precedence over any OS call, the OS cannot control or read SMM, and the only way to read SMM is to disassemble the system makes an SMM rootkit incredibly stealthy! It is very much like the blue pill attack (the PC is living in the matrix which is under your complete control) except that SMM attacks are at an even deeper hardware level of abstraction than a hypervisor exploit!



Joanna Rutkowska - Invisible Things  Lab

March 19, 2009
theinvisiblethings.blogspot.com/2009/03/attacking-smm-memory-via-intel-cpu.html

March 20, 2009
theinvisiblethings.blogspot.com/2009_03_01_archive.html


BIOS Attack Survives Hard Disk Wipe

Alfredo Ortega and Anibal Sacco from Core Security Technologies have found a way to attack and infect the BIOS by patching it with persistant code that will survive reboots, reflashing, and hard disk wipes.

According to them, your machine can be completely  taken over at the lowest level without the use of any vulnerability.

"It was very easy. We can put the code wherever we want," said Ortega. "We're not using a vulnerability in any way. I'm not sure if you understand the impact of this. We can reinfect the BIOS every time it reboots."

threatpost.com/blogs/researchers-unveil-persistent-bios-attack-methods


Presented at:  

    CanSecWest         Vancouver, 2009
    By  Anibal Sacco & Alfredo Ortega  from Core Security Technologies  
    cansecwest.com/


Core Security Technologies
www.coresecurity.com/   

Download .pdf
www.coresecurity.com/content/Persistent-Bios-Infection





The Blue Pill

The BluePill Project

bluepillproject.org/

The BluePill by Joanna Rutkowska is POC of  virtualized, stealth malware

BluePill requires hardware virtualization.  It works on machines with a Intel VT-x or AMD SVM capable CPU.


Basically, this is how it works:

 

  1. The Blue Pill code can execute on a users machine using a variety of attack methods. (Virus, Spyware etc…)
  2. When the Blue Pill code executes, it very quickly moves your entire operating system into a guest hardware virtual machine that is controlled by the Blue Pill. This happens on the fly without user awareness.  It does not require a re-boot.
  3. The Blue Pill now has complete control over the guest operating system. All system calls will now be run through Blue Pill – it can intercept, copy, create, delete, or modify anything. The Blue Pill completely controls the host computer that it has installed itself on.
  4. Blue Pill does not require to make any changes to the original operating system, hardware, or BIOS.  For this reason, it is undetectable.
  5. Blue Pill bypasses any AV, FW, or HIPS software that is running on the target machine.  As well, Blue Pill can bypass all the new Vista provided security mechanisms.
  6. Essentially,  your OS is now  unknowingly running within a virtual machine - a computer within a computer. Your OS is a slave to the Blue Pill and will now trust anything that the Blue Pill tells it.
  7. You will not notice anything. Your machine cannot determine what is real and what is not.  You’ll be unaware that the environment is completely fabricated and false because it feels and looks as authentic as your real one.

Read more:
theinvisiblethings.blogspot.com/2006/07/blue-pill-hype.html

en.wikipedia.org/wiki/Blue_Pill_(malware)

 



</style>

The quest for ring 0

French security engineer and researcher Loïc Duflot talks about  the "System Management Mode attack, how to mitigate it, what hardware is vulnerable, and why we should be concerned with recent X Server bugs".

A feature called System Management Mode included in modern x86 cpus opens the way to the land of kernel space and the quest for ring zero.


www.securityfocus.com/columnists/402


Comment from Hylas:
www.securityfocus.com/comments/columns/402/33600#33600






The Manchurian Microchip

Robert Eringer wrote an interesting article regarding computer components manufactured and assembled in China

The myth: Chinese intelligence services have concealed a microchip in every computer everywhere, programmed to “call home” if and when activated.

The reality: It may actually be true.


www.dailyartisan.com/news/and-now-the-manchurian-microchip/



Researchers: Rootkits headed for BIOS

Researchers:  Rootkits headed for BIOS

Insider attacks and industrial espionage could become more stealthy by hiding malicious code in the core system functions available in a motherboard's flash memory, researchers said on Wednesday at the Black Hat Federal conference.

www.securityfocus.com/news/11372


Some comments to the article:

www.securityfocus.com/comments/articles/11372/33017#33017

www.securityfocus.com/comments/articles/11372/34206#34206

www.securityfocus.com/comments/articles/11372/33500#33500

www.securityfocus.com/comments/articles/11372/34207#34207

www.securityfocus.com/comments/articles/11372/34722#34722

www.securityfocus.com/comments/articles/11372/34884#34884






Time & Date Stamps


The time & date stamps of files/folders can be skewed. 
The "modified" dates and times in these screens are beyond normal.

Located in Folder C:\<unknown>
























Spyware Forum Posts

Many of the posters listed below have posted for help on some very popular Malware & Spyware forums.

These posters have much in common - they cannot remove or recover from whatever has infected their machines.
The symptoms they have all described are common to the subversion hack.

I don't believe that these posters
ever had their posts for help resolved.


June, 2004


The worst trojan on the net, goes un-detectable to all scanners
www.spywareinfoforum.com/index.php


August, 2004


Hacker  Is Alive and Well AFTER Reformat, New Firewall, Etc...
www.experts-exchange.com/Security/Operating_Systems_Security/Windows/Q_21110443.html


January, 2005


HELP! Terminal Service Trojan??
help.lockergnome.com/windows/HELP-Terminal-Service-Trojan--ftopict386055.html


Trojan "changes" XP -- > 2000 virtual machine??
help.lockergnome.com/windows/modules.php


April, 2005

SuS  "trojan" in XP changes OS and creates "virtual" remote desk
groups.google.com/group/microsoft.public.security/browse_thread/thread/dd3f2ca4d22e5054/7b58b17c4ceb38de


April, 2006

Don't think my comp. was Hijacked.  Was more Like conquered
forums.techguy.org/malware-removal-hijackthis-logs/460215-dont-think-my-comp-hijacked.html


September, 2005

Rootkit????Have tried everything...literally..
www.derkeiler.com/Newsgroups/microsoft.public.security.virus/2005-09/0223.html


June, 2006

window problem hard to locate
forums.techguy.org/windows-nt-2000-xp/471808-window-problem-hard-locate.html



July, 2006

Script help *hacker?
forums.techguy.org/malware-removal-hijackthis-logs/483503-script-help-hacker.html