February 28, 2007 9:12 AM PST

PC hardware can pose rootkit threat

ARLINGTON, Va.--PC hardware components can provide a way for hackers to sneak malicious code onto a computer, a security researcher warned Wednesday.

Every component in a PC, such as graphics cards, DVD drives and batteries, has some memory space for the software that runs it, called firmware. Miscreants could use this space to hide malicious code that would load the next time the PC boots, John Heasman, research director at NGS Software, said in a presentation at this week's Black Hat DC event here.

"This is an important area and people should be concerned about this," Heasman said. "Software security is getting better, yet we run increasingly complicated hardware. Unless we address hardware security, we're leaving an interesting avenue for attack."

Malicious code delivered via the memory on hardware components poses a rootkit threat since it will run on the PC before the operating system loads, Heasman said. This likely will hide it from security software and other protection mechanisms, he added. Such low-level malicious code is known as a rootkit.

Moreover, because the malicious code is stored on the hardware component and not a PC's hard disk, reinstalling the operating system or otherwise wiping the disk won't remove the threat.

In his research, Heasman focused on graphics cards inserted in the PCI, PCI Express or AGP slots on a PC motherboard. He found that it is possible to load a few kilobytes of additional code onto the memory of such cards. An attacker could do this by tricking the user into opening a malicious file, for example, he said.

"The PCI bus was developed by Intel in the 1990s. And as we all know, security wasn't in high respects at that time," Heasman said. "On a well-run network, administrators know which machines are on their network, but do they know what PCI devices are on their network? In most cases I'd imagine that the answer is no."

The concept Heasman presented is not new. Other security researchers have highlighted the risk before. And the industry has responded through the Trusted Computing Group and the Trusted Platform Module, which performs additional checks. However, the Trusted Platform Module isn't on every PC and its capabilities aren't always used, Heasman noted.

For increased protection, Heasman recommends scanning the memory on PC expansion cards and other hardware components and analyzing what the code stored there does.

See more CNET content tagged:
malicious code, hardware component, rootkit, PCI, researcher

10 comments

Join the conversation!
Add your comment
Might work
This might work if your targeting one specific type of card, but how easy would it be to code a virus / worm / torjan that would attack different types of cards?
Posted by pgp_protector (122 comments )
Reply Link Flag
Malware would have to target CPU on the card
I think this might work--but I would think the malware would have to be written in the machine language for the processor on the video (or other) card. This would not be an x86 processor, of course.
Then maybe the virus, running in the PCI card's processor, could transfer some x86 code to memory using the PCI bus.
How easy would it be to attack different types of cards? Not very. But that doesn't mean it can't / won't be done.
Posted by riordanmr (3 comments )
Link Flag
RE: PC Hardware can pose rootkit threat
This is fairly disturbing to me. So does the code have to be loaded on the PCI card prior to putting it into your computer. If so at least there has not been a case (or at least to my knowledge) of PCI card makes acting like sony and placing the kit on the device intending to set up a rootkit.
Posted by MD525 (22 comments )
Reply Link Flag
Chicken Little
Don't look now, but the sky is falling....
Posted by Get_Bent (534 comments )
Reply Link Flag
Not really that big of a threat
For the most part this really isn't that big of a threat for a few reason.

1) Only two possible ways hardware could be infected, a.) by the supplier, b.) users already infected and it contains a very sophisticated viruses that would know where exactly to write on a specific hardware device.

2) Virus would be too specific on what it could infect, because of the way hardware memory is setup on each device is different on where its firmware is written to.

3) would only be able to infect a few hardware devices, because of #2.


The best solution to this is to have a properly protected system for the outside. this includes suppliers and consumers, because that is the only method rogue code could be inserted into these hardware devices.
Posted by hmmdar (13 comments )
Reply Link Flag
This is just bulls...
Unless the virus/root code is embedded on the hardware bios/firmware, this is just impossible.
Also, you can't run code from most hardware ram, its usually used as storage and it gets cleared once you reboot or turn your system off. This applies to video memory and caches / buffers. The only way it can be used by a virus is to store part of itself temporarily while the system is
"on" and then load it back to memory, but it still needs to run from the computer memory. Once you reboot or turn the system off, it is gone.
They're just trying to scare people and make them look away from the real threat, the OS.
Posted by frankrr (1 comment )
Reply Link Flag
Geez - this is like the old BIOS hysteria...
In this case, there is a certain point to it - vidcard RAM is plentiful in most cases, but question is, can it actually write back to the CPU and send malicious commands, or can it only affect what the monitor does? SCSI/RAID controller RAM would be more valuable in such a case, where there is a potential of overwriting actual disk space.

OTOH, both (and many other) instances fail utterly to take into account the fact that few computers are going to have the exact same configuration, even in the same OEM model line. All it would take is to replace the video card w/ a different one, or to simply not use the SCSI controller, or to update a driver for any of it, or...? Then the whole scheme goes 'splat'.

I suspect that it may be useful for one-off hacks, where the hardware configs are known down to version levels... but that would require it to be an inside or near-inside job to insure that the relevant bits are actually in play and can actually do what the intruder wants it to... Even if the machine runs Windows, it'd be a whole lot easier (and with greater returns) to make a rootkit that hides inside the OS, than to bother w/ lower or hardware-level stuff.

THEN, the intruder has to somehow get the malware loaded and running... not an easy feat if the IT shop has even the most rudimentary physical security measures.

As the obstacles pile up, there is less and less chance of this to even work, let alone be of any use. Sure, it could work under lab conditions, where all variables are known and the programmer has full, unfettered access. That said, any real world threats would require far more planning and execution than all but a very small handful of people would even be capable of, let alone pull off. Toss in strict physical security, and it becomes nearly impossible.

I'm sure there are limited instances where this could possibly work (voting machines, kiosks, perhaps ATM's...), but again, it would require a whole lot of work to pull off.

Come to think of it, it would prolly be easier to write a BIOS-bourne bit of malware than to go this route...

/P
Posted by Penguinisto (5042 comments )
Reply Link Flag
How?
How can the average user scan their hardware/firmware for infection?
Posted by Lifelover1972 (5 comments )
Reply Link Flag
One way to make this work
The only way I could see making this type of attack work would be to target an organization with many, many standard built machines. Your talking large corporations, government installs, etc. Lots of machines loaded with identical hardware and software. Why? Because one custom mod could theoretically throw off the hole routine. The goal here for the bad guys is money not bragging rights. Espionage, Spam or rentable Bot-Armies are what pay the bills (quite handsomely for the most part), today.

Going after the guy at home with broadband is already easily enough accomplished. One reported botnet has already been determined to contain over 1.2 Million machines - most of those home machines in Asia and Eastern Europe.

The other actual question brought up in these posts? How does Joe Homeuser protect themselves? You don't. Your Anti-Virus software makers just get to add yet another "wonderfull feature" to their product lines to scan all machine writable (thus readable as well) memory to check for things that go bump in the night. For every action there is a separate and equal reaction. No different with software.

There was a time when you could do nothing about removing boot sector virii as well. Well, not without damaging the boot sector first. Its just another obsticle to overcome. Frankly, I'd be much more worried about a foreign government using this technology than from a hacker out to take over my home machine. This all sounds much to detailed and time consuming to create enough varients for the home market at this time. Really, we'll need more analysis to fully understand how deep this can go and what this type of machine level rootkiting is really capable.

Also understand that much of the memory we are talking about is volitile not static. Remove the card from the slot or turn off the computer and the memory is effectively wiped out.

Enjoy!
Posted by beads1 (3 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.