SMM-Rootkits-Securecom08

SMM-Rootkits-Securecom08 - SMM Rootkits: A New Breed of OS...

Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
SMM Rootkits: A New Breed of OS Independent Malware Shawn Embleton University of Central Florida sembleton@cs.ucf.edu Sherri Sparks University of Central Florida ssparks@cs.ucf.edu Cliff Zou University of Central Florida czou@cs.ucf.edu ABSTRACT The emergence of hardware virtualization technology has led to the development of OS independent malware such as the Virtual Machine based rootkits (VMBRs). In this paper, we draw attention to a different but related threat that exists on many commodity systems in operation today: The System Management Mode based rootkit (SMBR). System Management Mode (SMM) is a relatively obscure mode on Intel processors used for low-level hardware control. It has its own private memory space and execution environment which is generally invisible to code running outside (e.g., the Operating System). Furthermore, SMM code is completely non-preemptible, lacks any concept of privilege level, and is immune to memory protection mechanisms. These features make it a potentially attractive home for stealthy rootkits. In this paper, we present our development of a proof of concept SMM rootkit. In it, we explore the potential of System Management Mode for malicious use by implementing a chipset level keylogger and a network backdoor capable of directly interacting with the network card to send logged keystrokes to a remote machine via UDP. The rootkit hides its memory footprint and requires no changes to the existing Operating System. It is compared and contrasted with VMBRs. Finally, techniques to defend against these threats are explored. By taking an offensive perspective we hope to help security researchers better understand the depth and scope of the problems posed by an emerging class of OS independent malware. Categories and Subject Descriptors D.4.6 [ Operating Systems ]: Security and Protection – Invasive software (e.g., viruses, worms, Trojan horses) General Terms Security Keywords System Management Mode, Rootkit, Malware, Virtualization, Operating System Security 1. INTRODUCTION A rootkit consists of a set of programs that work to subvert control of an Operating System from its legitimate users [16]. If one were asked to classify viruses and worms by a single defining characteristic, the first word to come to mind would probably be replication . In contrast, the single defining characteristic of a rootkit is stealth . Viruses reproduce, but rootkits hide. They hide by compromising the communication conduit between an Operating System and its users. Secondary to hiding themselves, rootkits are generally capable of gathering and manipulating information on the target machine. They may, for example, log a victim user’s keystrokes to obtain passwords or manipulate the system state to allow a remote attacker to gain control by altering security descriptors and access tokens. Since the user’s view of the computer system and its resources is
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 08/25/2011 for the course EEL 5937 taught by Professor Staff during the Spring '08 term at University of Central Florida.

Page1 / 12

SMM-Rootkits-Securecom08 - SMM Rootkits: A New Breed of OS...

This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online